Report security bugs in Moov's open-source code to security@moov.io.

Report security bugs in Moov Financial's code or products via HackerOne.

After submitting a report an acknowledged will be received within 5 days and you can expect a more detailed response after the investigation occurs. Moov may resolve issues prior to notifying the reporter.

Security bugs in third party modules should be reported to their respective maintainers.

Moov Financial will work with the reporter on disclosure after resolutions are enacted, but an embargo will be in place for every report. Moov may take additional time to ensure no customer impact has occurred and systems are secure.

If you have suggestions on how this process can be improved please open a pull request on SECURITY.md or create an issue to discuss.