We take the security of Athletica and our athletes' data seriously. If you believe you've found a vulnerability, we'd like to hear from you.
How to report
- A clear description of the issue and its impact.
- Steps to reproduce, including affected URLs or endpoints.
- Any proof-of-concept code, screenshots, or request/response captures.
- Your name or handle if you'd like to be credited.
One issue per report, please. We'll acknowledge receipt within 5 business days and aim to provide a status update within 15 business days of acknowledgement.
Scope
In scope:
athletica.ai and its subdomains (e.g. app.athletica.ai, app2.athletica.ai).- The Athletica web and mobile applications.
- Our public APIs.
Out of scope:
- Denial-of-service, volumetric, or rate-limit testing.
- Social engineering of staff, athletes, or coaches.
- Physical attacks against our offices or infrastructure providers.
- Reports generated solely by automated scanners with no demonstrated impact.
- Findings on third-party services we integrate with (e.g. Garmin, Strava, Stripe); please report those to the relevant vendor.
- Missing security headers, cookie flags, or best-practice configuration issues without a concrete exploit.
- Vulnerabilities requiring a rooted, jailbroken, or otherwise compromised device.
Safe harbour
We won't pursue legal action against researchers who:
- Act in good faith and follow this policy.
- Avoid privacy violations, data destruction, and service disruption.
- Test only against accounts they own or have explicit permission to test.
- Give us reasonable time to remediate before public disclosure.
Disclosure
We support coordinated disclosure. Please don't share details publicly until we've confirmed a fix is deployed, and allow 90 days from your initial report for remediation. We're happy to coordinate a joint disclosure timeline for higher-severity findings.
Rewards
We don't currently operate a paid bug bounty program. We're glad to credit verified reporters with your permission.
