Security
Report security issues privately at security@voltour.bike with the affected URL, exact steps, impact, and evidence.
What to include
Good reports include the route or API endpoint affected, the account role used, the exact request or browser steps, the expected result, the actual result, and a short impact statement. Screenshots, HAR snippets, request IDs, and timestamps help reproduce issues without extra back-and-forth.
Testing boundaries
Do not test with destructive traffic, denial of service, social engineering, credential stuffing, spam, physical attacks, or access to accounts and data you do not own. Keep proof-of-concept traffic small and stop as soon as you can show the issue safely.
Relevant surfaces
Security-sensitive Voltour surfaces include login, passkeys, MFA, saved routes, shared route links, station reports, photo uploads, partner dashboards, billing redirects, charger verification, geocoding, route planning, and API endpoints under the same production origin.
Handling
We aim to acknowledge actionable reports, preserve evidence, and prioritize issues by practical user impact: account takeover, unauthorized data access, unsafe route or station data changes, billing abuse, and server-side compromise are handled ahead of low-impact informational findings.