Responsible Disclosure

Last updated: Oct 23nd, 2025

Our Commitment to Security

At 7shifts, the security of our systems and the protection of our customer data is a top priority. We value the crucial role the security research community plays in helping us stay secure. This policy explains how to report vulnerabilities to us, what you can expect from us, and how we can work together to protect our users.

Our Responsible Disclosure Program is facilitated through Inspectiv, a private bug bounty platform.

How to Report a Vulnerability

We have two distinct channels for submitting your findings. Please choose the one that best fits your situation.

1. For Bug Bounties (Seeking Compensation): If you are seeking a monetary reward for your findings, you must be a registered researcher with Inspectiv.`
   1. To Submit: Register and submit your findings through the official 7shifts Bug Bounty Program on Inspectiv.
   2. Sign up here: https://www.inspectiv.com/researchers
2. For Voluntary Disclosure (Not Seeking Compensation): If you are not seeking compensation but wish to report a vulnerability for the good of the community, please use our voluntary disclosure form.
   1. Submit here: https://client.inspectiv.com/vdp/7shifts/submit-report

Scope

This policy applies to any digital assets owned, operated, or maintained by 7shifts. To help you focus your efforts, we have defined what is in and out of scope.

In-Scope Assets

1. Mobile Applications
   1. 7shifts Android App
   2. 7shifts iOS App
2. API Endpoints
   1. https://oauth.7shifts.com
   2. https://login.7shifts.com/oauth2
   3. https://api.7shifts.com
   4. https://files.7shifts.com
   5. https://gql.7shifts.com
   6. https://app.7shifts.com/gql/v2
3. Web Portal
   1. https://app.7shifts.com

Out-of-Scope Assets & Activities

1. Any domains, subdomains, or services not explicitly listed in the “In-Scope” section.
2. Third-party services or vendors used by 7shifts.
3. Social engineering (e.g., phishing), physical attacks, or testing that targets our employees, offices, or data centers.
4. Activities that could disrupt our service (Denial of Service, spamming, etc.).

Excluded Vulnerability Types

We generally do not award bounties for vulnerabilities that have no demonstrable security impact. While we encourage you to report anything you find, the following are examples of issues that are not eligible for a reward through our bug bounty program:

1. Reports from automated scanners without a validated proof-of-concept.
2. Missing security best practices (e.g., missing HTTP security headers, SPF/DKIM records, weak SSL cipher suites) without proof of a real-world vulnerability.
3. Disclosure of known-public files or software versions.
4. Clickjacking on pages without sensitive actions.
5. Username/email enumeration.
6. Self-XSS and other issues requiring unlikely user interaction.

For a complete and detailed list of excluded vulnerability types, please review the full program policy on the Inspectiv platform.

Program Rules & Expectations

To ensure our program is safe and effective for everyone, we require all researchers to adhere to the following rules:

1. Report promptly: Let us know as soon as you discover a potential vulnerability.
2. Avoid harm: Do not disrupt our systems, destroy data, or violate the privacy of our users. If you encounter any user data (PII, PHI, etc.), stop immediately and report it.
3. Test responsibly: Only interact with test accounts you own. Do not perform testing that violates laws or compromises data that is not your own.
4. Maintain confidentiality: Provide us a reasonable amount of time (at least 180 days) to resolve an issue before you disclose it publicly. Do not discuss vulnerabilities through unofficial channels.
5. No extortion: Do not engage in any form of extortion or threats.

Security researchers that are participating in our bug bounty program, which is managed by Inspectiv, will be required to agree to Inspectiv’s rules, terms, and conditions. Sign up at https://www.inspectiv.com/researchers.

Safe Harbor

We consider security research conducted under this policy to be authorized. We will not initiate or support legal action against you for good-faith, accidental violations of this policy, provided you comply with all applicable laws and adhere to the guidelines outlined herein.

Our Process & Timelines

Once you submit a report, here’s what you can expect from us:

1. Initial Response: We will do our best to reply to your initial report within 48 hours.
2. Updates: We will provide updates on our progress at reasonable intervals.
3. Public Disclosure: We ask for at least 180 days to remediate a vulnerability before public disclosure. We will coordinate with you to ensure our public disclosures are posted at the same time.

Severity is determined by Inspectiv’s triage team based on impact and the privileges required to exploit the vulnerability. For more detail on the rating process, please refer to the documentation within the Inspectiv platform.