SkyDelay logoSkyDelay
Responsible disclosure welcomed

Security at SkyDelay

Our customers trust us with bank details, ID documents, and travel data. We treat that responsibility seriously. This page describes how we protect your information and how researchers can responsibly disclose security issues.

Reporting a vulnerability

If you believe you have found a security vulnerability in any SkyDelay system, please report it to us before publicly disclosing it. We commit to:

  • Acknowledge your report within 2 business days.
  • Provide an initial assessment within 7 calendar days.
  • Keep you informed of progress towards resolution.
  • Credit you in our hall-of-fame (if you wish) once the issue is fixed.
  • Not pursue legal action against researchers acting in good faith.
Email
security@skydelay.org
security.txt
/.well-known/security.txt

In scope

  • skydelay.org and any sub-domain we operate.
  • The public claim form and customer claim portal.
  • Authentication, authorisation, and IDOR vulnerabilities.
  • Server-side vulnerabilities (SSRF, RCE, SQL injection, NoSQL injection).
  • Sensitive data exposure (PII, IBAN, payment data, IDs).
  • Cross-site scripting, CSRF, broken access control.

Out of scope

  • Social engineering of staff or customers.
  • Denial-of-service, brute-force, or rate-limit testing on production.
  • Reports of missing best-practice headers without a working exploit.
  • Spam or content injection that requires user interaction with attacker control.
  • Third-party services (Stripe, Vercel, MongoDB Atlas) — report directly to them.

How we protect data

  • In transit: TLS 1.3 enforced across all subdomains; HSTS with a 2-year max-age and preload.
  • At rest: AES-256 encryption for documents (ID, boarding pass, receipts) and customer PII fields in MongoDB.
  • Access control: Least-privilege role-based access, MFA required for all staff, audited admin actions.
  • Rate limiting: Per-IP and per-PNR rate limits on every public mutating endpoint.
  • Token-based authorisation: Resume tokens are HMAC-signed and tied to the specific claim.
  • IBAN validation: Mod-97 checksum on every bank-detail update.
  • Audit logs: Every status change and admin action is written to an append-only timeline.
  • Penetration testing: Annual third-party pentest, internal pre-release security review.

GDPR & data minimisation

We collect only the personal data strictly necessary to handle your claim and we delete it on the earlier of: (i) your written request, or (ii) the end of the applicable retention period under Albanian Law No. 9887/2008 and Article 6(1)(b) GDPR. Backups are pruned in line with the same schedule.

Hall of fame

We publicly credit researchers who report valid vulnerabilities. If you would like to be listed, include your preferred handle and a link in your report.

No reports listed yet — be the first.

Last updated: 2026-06-04.