Security

Vulnerability Disclosure

ShowSmartly takes the security of its customers' data seriously. We welcome responsible reports from the security research community.

Last updated: May 3, 2026

Reporting a Vulnerability

If you believe you've discovered a security vulnerability in our service, please email support@showsmartly.ai with a clear description, steps to reproduce, and any supporting evidence (logs, screenshots, proof-of-concept).

A machine-readable contact is also published at /.well-known/security.txt per RFC 9116.

Scope

  • showsmartly.ai and all subdomains (including www.showsmartly.ai)
  • realtor-comp.com
  • Our Supabase Edge Functions and authenticated API endpoints

Out of Scope

  • Denial-of-service attacks, volumetric or otherwise
  • Social engineering of our staff, customers, or vendors
  • Physical attacks against our infrastructure
  • Findings against third-party services we integrate with (Supabase, Stripe, Google, Microsoft, Resend, Mailgun, Follow Up Boss) — please report those to the relevant vendor
  • Reports from automated scanners without a demonstrated impact
  • Missing best-practice headers without a demonstrated exploit
  • Self-XSS, clickjacking on pages without sensitive actions, or issues that require a fully-compromised victim device

Safe Harbor

We will not pursue legal action against researchers who, in good faith, comply with this policy. Specifically, you must:

  • Make a good-faith effort to avoid privacy violations, data destruction, and service interruption
  • Only interact with accounts you own or have explicit permission to test
  • Not exfiltrate, retain, or share more data than is strictly necessary to demonstrate the issue
  • Give us a reasonable amount of time to investigate and remediate before public disclosure
  • Not use the issue to access, modify, or destroy other users' data

Our Commitments

  • Acknowledgement: within 3 business days of receipt
  • Initial triage: within 7 business days
  • Status updates: at least every 14 days until resolution
  • Coordinated disclosure: we will agree on a disclosure timeline with you and credit you (if desired) once a fix is deployed

Bug Bounty

ShowSmartly does not currently operate a paid bug bounty program. We are happy to publicly acknowledge researchers (with permission) on this page once an issue has been remediated.

Encrypted Communication

For sensitive reports, you may request our PGP key by emailing support@showsmartly.ai.