Guest Manager

Responsible Disclosure

Effective date: May 11, 2026

We take the security of our platform and our customers’ data seriously. If you believe you’ve found a vulnerability, we want to hear about it.

Reporting

Please email reports to security@guestmanager.com. PGP encryption is available on request.

What to include

A clear description of the issue, steps to reproduce, and any proof-of-concept material. The more specific the report, the faster we can act on it.

Our commitment

  • We’ll acknowledge your report within two business days.
  • We’ll keep you updated as we investigate and remediate.
  • With your permission, we’ll publicly credit you once the issue is fixed.

Scope

In scope: guestmanager.com, all *.guestmanager.com subdomains, our Shopify app GM Event Ticketing, and our public APIs.

Out of scope: third-party services we rely on (Shopify, Heroku, Stripe, etc.), social engineering, physical attacks, denial of service, and reports based solely on automated scanner output (missing security headers, SPF/DMARC alignment, version disclosure, etc.) without demonstrated impact.

No paid bounty program

We do not currently offer monetary rewards. We genuinely appreciate good-faith disclosure and will credit researchers publicly with their permission.

Safe harbor

Good-faith security research conducted in accordance with this policy will not result in legal action from Guest Manager. We consider activities consistent with this policy as authorized, and will not pursue claims under the Computer Fraud and Abuse Act, similar state laws, or DMCA anti-circumvention provisions against researchers acting in good faith.

Adapted from the Basecamp open-source policies / CC BY 4.0
Questions or concerns about our policies? Don't hesitiate to get in touch.