Vulnerability Disclosure Policy

If you discover a security vulnerability in ControlarGastos we would be grateful if you reported it to us privately before making it public. This page describes how to do so and what you can expect from us.

Last updated:

1. Reporting channel

Send an email to [email protected] with a description of the vulnerability, the steps to reproduce it, its estimated impact and any proof of concept that helps to understand it.

Do not use this channel for general support, functional questions or bug reports unrelated to security — for that, use the Service's contact form.

2. Scope

We accept reports about any subdomain of controlargastos.es, the Service API and the authentication, authorisation and user-data flows. As a reference (not exhaustive), we are especially interested in:

  • Vulnerabilities that allow access to other users' data (IDOR, authorisation flaws, leaks of personal or financial information).
  • Bypass of authentication, session management or email verification.
  • XSS, CSRF, SQL injection, SSRF, insecure deserialisation, RCE.
  • Bypass of the quotas and limits of the plans (free / pro / premium).
  • Exposure of credentials, tokens, keys or any operational secret.
  • Issues in the group-invitation or debt-management flow that allow manipulation of third-party data.

3. Out of scope

We do not consider the following findings a vulnerability, unless you provide a proof of concept with real impact:

  • Generic HTTP-header hardening recommendations (CSP, HSTS, COOP, COEP) without a demonstrated exploitable scenario.
  • Lack of DNSSEC, DMARC p=quarantine/reject or similar email configurations when they do not lead to a concrete compromise.
  • UI or usability bugs that do not affect confidentiality, integrity or availability.
  • Automated scanner results without manual analysis or demonstrated exploitation.
  • Issues that require physical access to the victim's device, social engineering outside the Service or preinstalled malware.
  • Attacks that depend on outdated versions of the user's browser or operating system.
  • Reports about third-party services (Cloudflare, hosting provider, OpenRouter, etc.); please direct those to the relevant programme.
  • Tests that degrade the Service (denial of service, aggressive fuzzing, mass submissions).

4. Response times

As an early-stage project run by a small team, our commitments are as follows:

  • Acknowledgement of receipt: within a maximum of 72 hours.
  • Triage and confirmation: within a maximum of 7 calendar days from the acknowledgement.
  • Resolution: depending on severity. Critical or high-impact vulnerabilities are prioritised immediately; the rest are scheduled within the normal release flow.

We will keep you informed of the status of the report until it is closed.

5. Our commitment

If you act in good faith, within the scope of this policy and respecting the rules of responsible disclosure, ControlarGastos:

  • Will not take legal action against you for the findings reported.
  • Will work with you to understand and reproduce the problem.
  • Will notify you when the fix has been deployed.
  • If you wish and the report is valid, we can publicly acknowledge you as the discoverer on a credits page. This is not a paid bug bounty programme: the project is in its launch phase and does not yet have a budget for rewards.

6. Responsible disclosure rules

So that we can work with you, we ask that you:

  • Do not access, modify or destroy other users' data beyond the minimum necessary to demonstrate the problem. If you come across third-party personal information, stop and let us know.
  • Do not intentionally degrade the Service (denial-of-service attacks, mass scans, aggressive automation).
  • Do not publish the details of the vulnerability until it is resolved and by mutual agreement with us.
  • Use only your own test accounts to reproduce the problem.
  • Comply with the applicable legislation at all times.

Repeated breach of these rules excludes the report from the responsible-disclosure framework and may give rise to the actions that may be appropriate.

7. Processing of personal data in the report

When you write to the security address, we process your email address and the content of the message for the sole purpose of handling the report. The legal basis is the legitimate interest in protecting the Service and those who use it. We will keep the communication for as long as necessary to resolve the case and the applicable limitation periods. More details in the Privacy Policy.