Security

At Tour Frontier, we take the security of our platform and our users' data seriously. We believe that working with the global security research community is one of the best ways to keep our travelers safe. We operate a responsible vulnerability disclosure program that welcomes security researchers, ethical hackers, and anyone who wants to help us improve our security posture. If you discover a vulnerability, we want to hear from you.

The following domains and services are in scope for security testing: • https://tourfrontier.com (primary web application) • https://api.tourfrontier.com (API endpoints) • Mobile applications (iOS and Android) • Supabase edge functions and database configurations The following are explicitly out of scope: • Third-party services and integrations (Expedia, Travelpayouts, Stripe, etc.) • Social engineering attacks against Tour Frontier employees or users • Physical security testing of our offices • Denial of Service (DoS) attacks or any activity that degrades service for other users • Brute force attacks against user accounts

To participate in our program, please follow these guidelines: • Act in good faith and avoid violating privacy or disrupting services • Do not access, modify, or delete data belonging to other users • Do not exploit vulnerabilities beyond what is necessary to demonstrate the issue • Do not share vulnerability details with anyone outside Tour Frontier until we have resolved it • Provide us with a reasonable amount of time (90 days) to address the issue before publicly disclosing it • Submit detailed reports including steps to reproduce, impact assessment, and suggested remediation

Tour Frontier provides safe harbor for security researchers who: • Comply with this disclosure policy • Act in good faith to avoid privacy violations and service disruption • Only access accounts and data they own or have explicit permission to test • Do not exploit vulnerabilities for personal gain or harm We will not pursue legal action against researchers who meet these criteria. If legal action is initiated by a third party against you, we will make it clear that your actions were conducted in compliance with this policy. Note: Safe harbor does not apply to activities that are illegal under applicable law, including but not limited to unauthorized access to computer systems, data theft, or extortion.

Send your vulnerability report to: Email: security@tourfrontier.com Your report should include: • A clear description of the vulnerability and its potential impact • Step-by-step instructions to reproduce the issue • The affected URL(s) or component(s) • Screenshots, videos, or proof-of-concept code (if applicable) • Your assessment of severity (Critical / High / Medium / Low) • Any suggested remediation or fix We aim to acknowledge receipt of your report within 48 hours and will keep you informed of our progress throughout the remediation process.

Our commitment to researchers: • Acknowledgment: Within 48 hours of receiving your report • Initial assessment: Within 5 business days • Resolution target for Critical/High severity: Within 7 days • Resolution target for Medium severity: Within 30 days • Resolution target for Low severity: Within 90 days • Public disclosure coordination: After fix is deployed and you are ready to publish We understand that researchers invest significant time and effort. While we do not currently offer a paid bug bounty program, we publicly acknowledge all valid reports in our Hall of Fame and provide swag packages for significant findings.

We are deeply grateful to the security researchers who have helped us improve Tour Frontier. Below is our Hall of Fame, recognizing individuals who have responsibly disclosed valid security vulnerabilities.

Tour Frontier implements the following security measures to protect our users: • TLS 1.3 encryption for all data in transit • AES-256 encryption for sensitive data at rest • Row Level Security (RLS) policies on all database tables • Content Security Policy (CSP) headers to prevent XSS attacks • Strict-Transport-Security (HSTS) to enforce HTTPS connections • Rate limiting on authentication endpoints to prevent brute force • Regular dependency audits and automated security scanning • Two-factor authentication (2FA) via email OTP for all accounts • Input validation and parameterized queries to prevent injection attacks • Automated backup and disaster recovery procedures

For security-related inquiries only: Email: security@tourfrontier.com Response time: Within 48 hours For general support questions, please use support@tourfrontier.com or visit our Help Center. For legal matters, contact legal@tourfrontier.com. Thank you for helping keep Tour Frontier and our travelers safe.