Security at BOOTH

Last full security review: May 11, 2026

We take the security of our barbers, shop owners, customers, and their payments seriously. If you believe you've found a vulnerability in any BOOTH-operated service, we want to hear from you and we'll work with you to investigate and fix it quickly.

Most recent review

On May 11, 2026 we completed an end-to-end audit covering:

Stripe payment routes — signature verification, server-side amount sourcing, idempotency on charges and payouts, authorization on every money-moving endpoint
Authentication — password policy, account-enumeration protection on forgot-password, post-login redirect sanitization, hardened logout cookies
Database row-level security — restricted access to bookings, listings, and shop data; public-availability reads via minimum-disclosure RPCs
Key & secret management — full repo + git-history scan; no hardcoded payment or service-role secrets
Browser-side defense — Content-Security-Policy enforced, image-upload MIME validation, dependency lockdown
Rate limiting on signup, password reset, and unauthenticated APIs

How to report

Email security@boothapp.co with a clear description of the issue, the steps required to reproduce it, and any proof-of-concept material. PGP is welcome but not required.

In scope

boothapp.co and all subdomains we operate
The BOOTH web application, dashboards, and public APIs
Our authentication, payments, booking, and rewards flows

Out of scope

Denial-of-service, traffic flooding, or resource-exhaustion attacks
Social engineering, phishing, or physical attacks against BOOTH staff or customers
Findings from automated scanners with no demonstrated impact
Issues in third-party services (Stripe, Supabase, Vercel, etc.) — please report to the vendor
Self-XSS or issues that require an already-compromised account

Our commitment

We'll acknowledge your report within 3 business days.
We'll keep you updated as we investigate and remediate.
We won't pursue legal action against good-faith researchers who follow this policy.
With your permission, we'll credit you publicly once the issue is fixed.

Safe-harbor guidelines

Please make a good-faith effort to avoid privacy violations, service degradation, and destruction of data. Use only test accounts you own, never access another user's data beyond what's needed to demonstrate the issue, and give us reasonable time to remediate before public disclosure.