Welcome to Revvel V2

Security Policy

Last Updated: 21 February 2026 · Version 1.0

Responsible Disclosure

We take security seriously and appreciate the efforts of security researchers who help us protect our users. This policy outlines our commitment to working with the security community.

1. Reporting a Vulnerability

If you discover a security vulnerability, please report it to us privately:

  • Email: security@revveltix.com
  • PGP Key: Available at /.well-known/security.txt
  • Response Time: We aim to respond within 48 hours

2. What to Include in Your Report

  • Description of the vulnerability and its potential impact
  • Steps to reproduce the issue (proof-of-concept)
  • Affected URLs, endpoints, or components
  • Your contact information for follow-up questions
  • Any suggested remediation or mitigation

3. Our Commitment

When you report a vulnerability responsibly, we commit to:

  • Acknowledge receipt of your report within 48 hours
  • Provide an estimated timeline for resolution
  • Keep you informed of our progress
  • Credit you in our security acknowledgments (if desired)
  • Not pursue legal action for good-faith security research

4. Scope

In Scope:

  • www.revveltix.com and api.revveltix.com
  • Mobile-responsive web application
  • API endpoints and authentication flows
  • Payment processing integration (Stripe)
  • QR code ticket validation system

Out of Scope:

  • Social engineering attacks
  • Physical attacks on our infrastructure
  • Denial of Service (DoS/DDoS) attacks
  • Spam or social media accounts
  • Third-party services (Stripe, Cloudflare, etc.)

5. Safe Harbor

We consider security research conducted under this policy to be:

  • Authorized under the Computer Fraud and Abuse Act
  • Exempt from DMCA anti-circumvention provisions
  • Protected from legal action if conducted in good faith

Good faith means: You make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our services.

6. Rules of Engagement

When testing for vulnerabilities, please:

  • Only test against accounts you own or have explicit permission to test
  • Do not access or modify other users' data
  • Do not perform attacks that could harm availability (DoS, resource exhaustion)
  • Do not exploit vulnerabilities beyond demonstrating proof-of-concept
  • Do not disclose the vulnerability publicly until we've had time to fix it (90 days)

7. Vulnerability Severity Guidelines

Critical: Remote code execution, SQL injection, authentication bypass

High: XSS, CSRF, privilege escalation, payment manipulation

Medium: Information disclosure, broken access control

Low: Security misconfigurations, missing best practices

8. Bug Bounty

We currently do not offer a paid bug bounty program. However, we provide:

  • Public acknowledgment on our security hall of fame (if desired)
  • Free event tickets or Revvel credits for significant findings
  • Direct communication with our security team

9. Security Measures

We implement industry-standard security controls:

  • Transport Security: TLS 1.3 with HSTS enforcement
  • Authentication: Laravel Sanctum with secure session management
  • Authorization: Role-based access control (RBAC)
  • Data Protection: AES-256 encryption at rest, field-level encryption for sensitive data
  • Input Validation: Server-side validation, parameterized queries
  • Security Headers: CSP, X-Frame-Options, HSTS, etc.
  • Monitoring: Real-time security event logging and alerting
  • Backups: Automated daily backups with 30-day retention

10. Contact

For security-related questions or concerns:
Email: security@revveltix.com

Security Policy | Revvel