Vulnerability Disclosure.

Email security@piccull.com with a description of the issue, the steps to reproduce it, and the impact you believe it has. Plain English is fine — you don’t need a CVSS score. If the report involves account data, please use a test account where possible rather than another user’s real data.

Machine-readable contact details live at /.well-known/security.txt.

• In scope: piccull.com, app.piccull.com, the PicCull API, and the PicCull iOS app — anything that could expose user data, listings, photos, eBay tokens, or payment state.
• Out of scope: third-party services we integrate with (eBay, Stripe, Cloudflare, Vercel, Railway, Neon — report those to the vendor), denial of service, volumetric attacks, spam, social engineering of PicCull staff or users, and findings that require physical access to a user’s device.

• Give us a reasonable chance to fix the issue before disclosing it publicly.
• Don’t access, modify, or delete data that isn’t yours. If you stumble into another user’s data, stop and report it.
• Don’t degrade the service for other users while testing.

• An acknowledgment within 2 business days.
• An honest assessment of the report and a fix timeline when the issue is confirmed.
• Credit for the find if you want it, once a fix has shipped.

PicCull does not currently run a paid bug bounty. If that changes, this page will say so.

We will not pursue legal action against researchers who follow this policy in good faith — who test within scope, avoid harming users or data, and give us time to fix what they find. If you’re ever unsure whether something is in bounds, ask first at security@piccull.com.