Legal

Security Policy

Last updated: May 29, 2026

Overview

Boba Globe uses technical, organisational, and provider-managed safeguards to protect accounts, saved projects, billing status, route data, and service operations. No internet service can be guaranteed perfectly secure, so this policy explains how to report a security concern and what testing is allowed.

Security Practices

  • HTTPS, security headers, and editor cross-origin isolation are used for the app surfaces that need them.
  • Supabase Auth, row-level database policies, storage ownership checks, and server-side authorization checks protect account and project data.
  • Stripe-hosted payment surfaces process payment cards; Boba Globe does not store full card numbers.
  • Stripe webhooks and Supabase Auth email hooks use signature or shared-secret verification where configured.
  • Operational logging is reviewed to avoid unnecessary route-provider payloads, selected flight identifiers, OTPs, secrets, full card data, or unnecessary sensitive information.
  • Internal retention, provider review, transfer review, privacy request, and incident runbooks support launch and incident response.

Reporting A Vulnerability

If you believe you found a vulnerability in Boba Globe, email support@bobaglobe.comwith the subject line Security Report: Boba Globe. Include the affected URL or feature, a clear description, reproduction steps, impact, and any screenshots or logs that do not expose another person's data.

Do not send passwords, one-time codes, full payment-card data, government identifiers, health information, or another user's personal information. If you accidentally access data that is not yours, stop testing and report the issue promptly.

Testing Rules

We currently allow good-faith, low-volume testing only against accounts and data you own or have explicit permission to test. This policy does not authorize access to another user's account, data, project, billing information, provider account, source repository, deployment console, or infrastructure outside Boba Globe's public app surface.

  • Do not perform denial-of-service, stress, load, spam, credential-stuffing, social-engineering, phishing, physical, or destructive testing.
  • Do not exfiltrate, alter, delete, retain, publicly disclose, or share data that is not yours.
  • Do not bypass payment, subscription, export, rate-limit, account, or provider controls except as needed to demonstrate an issue using your own account and minimal proof.
  • Do not test third-party services such as Supabase, Stripe, Vercel, AWS, Flightradar24, Google Maps Platform, unpkg, or other providers except through Boba Globe's normal public app behavior.
  • Do not publicly disclose a vulnerability until Boba Globe has had a reasonable opportunity to investigate and address it.

No Bug Bounty

Boba Globe does not currently offer a paid bug bounty, reward program, or formal safe-harbor promise. Reports are appreciated, but compensation, public credit, and legal authorization beyond this written testing scope are not guaranteed.

Incident Response

When we receive a security report, we triage the issue, preserve necessary evidence, limit access to sensitive details, work with affected providers where needed, and notify users, regulators, providers, or law enforcement when required by law or appropriate for user protection.

Contact

Security questions and vulnerability reports can be sent to support@bobaglobe.com.