Security Policy

IronStreak takes user data privacy and security seriously. Because the app is designed with privacy by default — no accounts, no servers, no cloud sync — the security surface is smaller than most mobile apps. But we still welcome responsible disclosure of any issues.

Reporting a vulnerability

Email hello@ironstreak.com with a subject line prefixed with [SECURITY]. Please include steps to reproduce, affected versions, and any supporting material (videos, logs, PoC).

Scope

In scope: the IronStreak iOS app, the ironstreak.com website. Out of scope: Apple's platform (report to Apple), third-party services, or social engineering.

What to expect

We aim to acknowledge reports within 72 hours, triage within one week, and ship a fix within 30 days for critical issues. We don't currently run a paid bug bounty, but we credit researchers publicly in our changelog (unless you prefer anonymity).

security.txt

Machine-readable contact info is published at /.well-known/security.txt per RFC 9116.