SkyFi
Trust & Security

Vulnerability Disclosure Program

Help us keep SkyFi secure.

Our Commitment

We take every credible report seriously

SkyFi welcomes reports from good-faith security researchers. If you believe you've found a vulnerability in our systems, this page explains what's in scope, how to report it, and the protection we offer researchers who follow these guidelines.

SkyFi provides pay-by-bank and business checking infrastructure, so the integrity of our platform directly protects our customers' money. We take every credible report seriously, investigate promptly, and remediate confirmed issues on a timeline that matches their severity.

This program covers our own web application, APIs, and customer-facing infrastructure. It does not replace or override any separate program operated by our banking partner, Grasshopper Bank, N.A., or by other third-party vendors we integrate with.

Scope

What's covered

In scope

  • skyfichecking.com and subdomains
  • SkyFi web application & customer dashboard
  • Publicly reachable SkyFi APIs
  • SkyFi mobile apps (iOS & Android)

Out of scope

  • Grasshopper Bank, N.A. systems & infrastructure
  • Third-party vendors, plugins, or integrations
  • Physical security & social engineering of staff
  • Denial-of-service or volumetric testing
  • Spam, phishing, or DNS/email spoofing reports (SPF/DKIM/DMARC)
Rules of Engagement

How to test responsibly

Own accounts only

Only test against your own accounts or test data — never access, modify, or exfiltrate another customer's data or funds.

Stop at proof of concept

Stop and report immediately once you've established a vulnerability exists; don't escalate beyond what's needed for a proof of concept.

No service degradation

No automated scanning that could degrade service for other customers (no high-volume fuzzing, load testing, or brute force against production).

No social engineering

No social engineering, phishing, or physical attacks against SkyFi staff, contractors, or customers.

Coordinated disclosure

Give us a reasonable window to investigate and remediate before any public disclosure — we ask for 90 days from acknowledgment.

Private reporting channel

Report through the channel below, not through public issue trackers, social media, or other public forums.

Safe Harbor

Authorized research

Activity conducted in good faith, consistent with this policy, is considered authorized testing. We will not pursue legal action or refer you for prosecution for research performed within these guidelines, and we will make that authorization clear to any third party (including law enforcement) if a question arises. This does not apply to testing against Grasshopper Bank, N.A. or other third-party infrastructure outside SkyFi's control.

Report Contents

What to include in a report

  • A clear description of the vulnerability and its potential impact
  • Step-by-step reproduction instructions, including affected URLs, endpoints, or app screens
  • Proof-of-concept code, request/response captures, or screenshots (redact any real customer data)
  • The account, browser, device, or environment used for testing
  • Encrypt reports containing sensitive proof-of-concept details when possible, especially for anything above Medium severity.
Triage

How we triage severity

Critical

1 day

Unauthorized fund movement, full account takeover, auth bypass

High

2 days

Sensitive data exposure, privilege escalation, injection with real impact

Medium

3 days

Logic flaws with limited impact, stored/reflected issues needing user interaction

Low / Info

5 days

Best-practice gaps, misconfigurations with minimal exploitability

Response

Response commitments

AcknowledgmentWithin 3 business days
ValidationSeverity assigned after triage, per table below
Resolution updatesPeriodic status until closed
Recognition

Credits

SkyFi does not currently operate a paid bug bounty. Researchers who submit valid, in-scope reports may be credited in an acknowledgments page at our discretion, with your permission.

Report a vulnerability

Email the security team with the details listed on this page.

security@skyfichecking.com

For general account or banking questions, contact support or review our Trust & Security overview.