-
Solutions
-
Website to App Converter
Get an app prototype in 2 minutes
-
Contest Voting App
Boost your voting contest with an app
-
Pageant Voting System
Create a flashy app for your pageant
-
Fan engagement app
Grow your fan engagement with an app
-
News app
Grow engagement with your readers
-
Event app
Engage your attendees
-
TV Show app
Grow interactions with your viewers
-
- Enterprise
- Pricing
- References
- AI App Builder
- Resources
Choicely Vulnerability Disclosure
Effective date: April 20, 2026
Choicely takes the security of its services seriously and welcomes responsible reports of security vulnerabilities. This policy explains how to report a vulnerability, what we commit to in return, and what is in scope.
1. Reporting a vulnerability
Please report suspected vulnerabilities to [email protected]. Where possible, encrypt your message using our PGP key, available at choicely.com/.well-known/security.txt.
A useful report includes:
- A clear description of the vulnerability and its potential impact.
- Steps to reproduce the issue, including any proof-of-concept code, request payloads, or screenshots.
- The affected URL, endpoint, app version, or component.
- Your name and contact details (or a pseudonym, if you prefer).
If you would like credit in our public acknowledgments, let us know in your report.
2. Our commitments
- We will acknowledge your report within 3 business days.
- We will provide an initial assessment within 10 business days.
- We will keep you informed of progress until the issue is resolved or otherwise closed.
- We will not pursue legal action against researchers who act in good faith and follow this policy.
- We will publicly credit you in our acknowledgments page if you wish, once the issue is resolved.
3. Safe harbor
We consider activity conducted consistent with this policy to be authorized testing under applicable computer-misuse and data-protection laws, and we will not initiate or recommend legal action against researchers for such activity. If a third party initiates legal action against you in connection with activity that complied with this policy, we will make this authorization known.
This safe harbor does not extend to activity that violates this policy, that targets the data, accounts, or services of other customers, or that breaks applicable law.
4. Scope
In scope
- choicely.com and its subdomains operated by Choicely.
- The Choicely platform and Choicely Studio admin tools.
- The Choicely AI app builder.
- Choicely public APIs and SDKs.
Out of scope
- Apps and websites built and operated by Choicely customers using the Services. Please report vulnerabilities in those products to the relevant customer.
- Third-party services we integrate with, including AI subprocessors. Please report directly to the third party.
- Findings that require physical access, social engineering of Choicely staff, or denial-of-service testing.
- Issues that depend on outdated browsers or operating systems no longer supported by their vendor.
- Reports generated solely by automated scanners without demonstrated impact.
5. Rules of engagement
- Do not access, modify, delete, or exfiltrate data that does not belong to you.
- If you accidentally encounter such data, stop testing, do not retain or share it, and report it to us immediately.
- Use test accounts that you create for the purpose. Do not test against real customer accounts without their explicit permission.
- Avoid actions that could degrade the availability of the Services for other users (no DoS, no aggressive scanning, no spam testing).
- Give us a reasonable opportunity to investigate and remediate before publicly disclosing the vulnerability — typically 90 days from initial report, extendable by mutual agreement for severe or complex issues.
6. Coordinated disclosure
After we have remediated the issue, we welcome coordinated public disclosure. We will work with you on the timing, content, and credit of any public write-up.
7. No bug bounty (yet)
Choicely does not currently operate a paid bug bounty program. We may launch one in the future. In the meantime we will gladly provide credit, swag where available, and our genuine thanks.
8. Contact
Security reports: [email protected]
Machine-readable contact: choicely.com/.well-known/security.txt