Security Policy

GEO-ify takes the security of our merchants’ data and our Shopify integration seriously. This page is the authoritative reference linked from /.well-known/security.txt.

Reporting a vulnerability

Email support@geo-ify.com with:

• A description of the issue
• Steps to reproduce
• Impact assessment (what an attacker could do)
• Any proof-of-concept code or screenshots

Or open a GitHub Security Advisory on our repo — that channel is end-to-end encrypted with the maintainers and produces a CVE if applicable.

Please do NOT open a public issue, public PR, or social-media post about a suspected vulnerability before we’ve had a chance to address it. Public disclosure before a fix puts merchants at risk.

Response timeline

• Acknowledgement: within 48 hours of your report (business days may slip to ~72h on weekends/holidays).
• Initial assessment: within 7 days — we’ll either confirm the issue, ask follow-up questions, or explain why it isn’t a vulnerability.
• Resolution: typically within 30 days for medium/high severity; critical issues are prioritized same-day. Some classes of fixes (cryptographic changes, broad refactors) may take longer; we’ll keep you posted.
• Coordinated disclosure: 90 days from initial report, or 7 days after a public fix lands, whichever is sooner. We’re happy to extend the timeline if the fix is genuinely complex.

Scope

In scope

• The GEO-ify Shopify app (deployed at https://www.geo-ify.com)
• The embedded admin UI served at /app/*
• All public-surface routes (/, /privacy, /terms, /healthz, /llms.txt, /robots.txt, /sitemap.xml, /.well-known/*, /api/csp-report)
• Webhook endpoints (/webhooks/*) — HMAC verification, idempotency, payload handling
• Auth/OAuth flow (/auth/*)
• The Trigger.dev worker tasks that process merchant data
• The Cloudflare DNS + Email Routing setup for geo-ify.com

Out of scope

• The Shopify platform itself — report platform issues to https://www.shopify.com/security. We will route issues we receive about Shopify to them.
• Third-party libraries (Prisma, React Router, Polaris, etc.) unless the issue is specifically exploitable through our code path; in that case in scope.
• Social-engineering attacks against our employees, contractors, or customers.
• Findings from automated scanners without a proof-of-concept (e.g. “X-Powered-By header is missing” — please verify the issue first).
• DoS / volumetric attacks against our public surface (we have rate-limiting; report bypasses, not the existence of capacity).

Safe harbor

We support good-faith security research and will not pursue legal action against researchers who:

• Make a good-faith effort to avoid privacy violations, destruction of data, or interruption/degradation of our service
• Only interact with their own accounts or test accounts they own or have explicit permission to test
• Do not exfiltrate more data than necessary to demonstrate the issue
• Report the issue promptly via the channels above and give us reasonable time to respond before public disclosure
• Do not attempt to access other users’ data

If you have any doubt about whether your testing falls inside safe harbor, email us first and ask.

Recognition

We don’t currently run a paid bug-bounty program (early-stage app, limited budget), but we will credit any researcher whose report led to a fix in the CHANGELOG entry, a dedicated section in this policy, and/or a GitHub Security Advisory (which produces a public CVE record with your name as the discoverer). Just let us know your preferred handle in your initial report. If you’d prefer anonymity, we’ll honor that.

Encryption

We do not currently publish a PGP key. If you have particularly sensitive material to share, use the GitHub Security Advisory link above — GitHub transports those messages end-to-end with the maintainers.