Security at GymPulseTimer

In scope

• https://gympulsetimer.com and its subdomains
• The iOS app (bundle ID com.web3bit.ro.GymPulseTimer)
• The Android app (package com.web3bit.gympulsetimer)
• The contact form and Android notify-me API endpoints

Out of scope

• Social engineering of our team, customers, or vendors
• Physical access attacks against devices, offices, or staff
• Denial-of-service (DoS) and distributed DoS attacks
• Third-party platform bugs (Apple, Google Play, Vercel, Resend) — please report those directly to the vendor
• Publicly known CVEs that are awaiting a vendor-provided fix
• Missing best-practice response headers with no demonstrable exploitable impact

How to report

Email security@gympulsetimer.com with the subject prefix [gpt-vdp]. Please include:

• Reproduction steps (the more detail, the faster we triage)
• The affected URL or app version
• The impact you observed or believe is possible

PGP is optional — we do not publish a public key at this time.

Service Level

We aim to acknowledge reports within 72 hours and complete initial triage within 7 days. These timelines are best-effort — GymPulseTimer is an independent project maintained by a small team, and we appreciate your patience.

Safe harbor

We will not pursue legal action against good-faith security research that stays within the scope described above, respects user privacy, and does not disrupt our production services. Testing must not exfiltrate real user data — if you inadvertently access user data, stop immediately and report it so we can remediate together.

Rewards

We do not operate a formal bug bounty program at this time. Rewards are handled case by case and we are always grateful for thoughtful disclosures — public credit can be offered on request once a fix has shipped.