Security Policy

Last updated: April 14, 2026

ThrottleShare (operated by Deer Track Design LLC) takes the security of our Platform, our users, and their data seriously. We welcome responsible disclosure of security vulnerabilities by researchers operating in good faith.

Reporting a Vulnerability

If you believe you have discovered a security vulnerability affecting ThrottleShare, please email [email protected] with the subject line “Security Report”. Please include:

  • A clear description of the vulnerability and its potential impact
  • Steps to reproduce (URLs, payloads, screenshots, video if applicable)
  • Your name or handle (if you want public acknowledgment)

We will acknowledge receipt within 5 business days and work to validate, fix, and deploy a remediation as quickly as possible. We will keep you informed of our progress.

Safe Harbor

If you conduct your research in accordance with this policy, ThrottleShare will not:

  • Initiate or support legal action against you for your research
  • Pursue claims under the Computer Fraud and Abuse Act (CFAA), the DMCA anti-circumvention provisions, or analogous state or foreign laws

We consider your research to be conducted in good faith if you:

  • Give us reasonable time to investigate and remediate before public disclosure
  • Do not exploit the vulnerability beyond what is necessary to confirm it
  • Do not access, modify, download, or retain data belonging to other users
  • Do not degrade, disrupt, or deny service to the Platform or other users
  • Do not use automated, high-volume, or destructive testing against production infrastructure
  • Do not attempt social engineering, phishing, or physical attacks against our staff, users, or infrastructure
  • Comply with all applicable laws and do not publicly disclose the vulnerability before it is resolved or 90 days have passed, whichever is first

Out of Scope

The following generally do not qualify as security vulnerabilities under this program:

  • Reports that require unrealistic user interaction (e.g., self-XSS, clickjacking without impact)
  • Missing HTTP security headers without a demonstrated exploit
  • Denial-of-service attacks based on volume or resource exhaustion
  • Social engineering of ThrottleShare staff or users
  • Physical attacks against ThrottleShare property or personnel
  • Issues in third-party services (Stripe, Cloudinary, Mapbox) — report those to the vendor
  • Spam, phishing, or fraud content created by other users (report to [email protected])

Acknowledgments

With your permission, we will publicly acknowledge researchers who make valid reports. ThrottleShare does not currently operate a paid bug bounty program, but we will consider monetary rewards on a case-by-case basis for impactful reports.

Machine-Readable Contact

See /.well-known/security.txt (RFC 9116).

Earn 50% of every booking fee you refer. Join our affiliate program →