Vulnerability Disclosure Program
Help us keep SkyFi secure.
We take every credible report seriously
SkyFi welcomes reports from good-faith security researchers. If you believe you've found a vulnerability in our systems, this page explains what's in scope, how to report it, and the protection we offer researchers who follow these guidelines.
SkyFi provides pay-by-bank and business checking infrastructure, so the integrity of our platform directly protects our customers' money. We take every credible report seriously, investigate promptly, and remediate confirmed issues on a timeline that matches their severity.
This program covers our own web application, APIs, and customer-facing infrastructure. It does not replace or override any separate program operated by our banking partner, Grasshopper Bank, N.A., or by other third-party vendors we integrate with.
What's covered
In scope
- skyfichecking.com and subdomains
- SkyFi web application & customer dashboard
- Publicly reachable SkyFi APIs
- SkyFi mobile apps (iOS & Android)
Out of scope
- Grasshopper Bank, N.A. systems & infrastructure
- Third-party vendors, plugins, or integrations
- Physical security & social engineering of staff
- Denial-of-service or volumetric testing
- Spam, phishing, or DNS/email spoofing reports (SPF/DKIM/DMARC)
How to test responsibly
Own accounts only
Only test against your own accounts or test data — never access, modify, or exfiltrate another customer's data or funds.
Stop at proof of concept
Stop and report immediately once you've established a vulnerability exists; don't escalate beyond what's needed for a proof of concept.
No service degradation
No automated scanning that could degrade service for other customers (no high-volume fuzzing, load testing, or brute force against production).
No social engineering
No social engineering, phishing, or physical attacks against SkyFi staff, contractors, or customers.
Coordinated disclosure
Give us a reasonable window to investigate and remediate before any public disclosure — we ask for 90 days from acknowledgment.
Private reporting channel
Report through the channel below, not through public issue trackers, social media, or other public forums.
Authorized research
Activity conducted in good faith, consistent with this policy, is considered authorized testing. We will not pursue legal action or refer you for prosecution for research performed within these guidelines, and we will make that authorization clear to any third party (including law enforcement) if a question arises. This does not apply to testing against Grasshopper Bank, N.A. or other third-party infrastructure outside SkyFi's control.
What to include in a report
- A clear description of the vulnerability and its potential impact
- Step-by-step reproduction instructions, including affected URLs, endpoints, or app screens
- Proof-of-concept code, request/response captures, or screenshots (redact any real customer data)
- The account, browser, device, or environment used for testing
- Encrypt reports containing sensitive proof-of-concept details when possible, especially for anything above Medium severity.
How we triage severity
Critical
1 dayUnauthorized fund movement, full account takeover, auth bypass
High
2 daysSensitive data exposure, privilege escalation, injection with real impact
Medium
3 daysLogic flaws with limited impact, stored/reflected issues needing user interaction
Low / Info
5 daysBest-practice gaps, misconfigurations with minimal exploitability
Response commitments
Credits
SkyFi does not currently operate a paid bug bounty. Researchers who submit valid, in-scope reports may be credited in an acknowledgments page at our discretion, with your permission.
Report a vulnerability
Email the security team with the details listed on this page.
security@skyfichecking.comFor general account or banking questions, contact support or review our Trust & Security overview.