Security Policy

Happo LLC operates the screenshot testing, visual regression, and accessibility regression testing service at happo.io. We take the security of our platform and our customers' data seriously. This page describes how we handle security, what you can expect from us if you report a vulnerability, and how we ask researchers to engage with us.

Reporting a Vulnerability

Please send security reports to security@happo.io. We accept reports from independent researchers, customers, and partners.

We will acknowledge your report within 3 business days and keep you informed as we work toward remediation. Once we have assessed the scope of an issue, we notify affected accounts. When the scope is unclear, we assume all potentially exposed accounts are affected and communicate accordingly. We take ownership throughout the process and aim to be transparent at every step.

Scope

The following are in scope for security reports:

• happo.io and all subdomains
• The Happo API
• The happo and lcs-image-diff npm packages

The following are out of scope:

• Rate limiting and brute-force issues without demonstrated impact
• Self-XSS
• Social engineering
• Denial-of-service testing
• Automated scanner output without proof of exploitability
• Third-party sub-processors (Stripe, AWS, Google Cloud, etc.) — please report those directly to the respective vendor

What We Ask of Researchers

• Do not access, modify, or delete other users' data.
• Do not run destructive tests or load/stress tests against our infrastructure.
• Do not exfiltrate customer screenshots or confidential data.
• Do not publicly disclose a vulnerability until we have shipped a fix and had a chance to notify affected users.

Safe Harbor

Happo LLC will not pursue legal action against researchers who report vulnerabilities in good faith, act within the boundaries of this policy, and do not access, modify, or destroy data beyond what is strictly necessary to demonstrate an issue.

Data We Handle

Understanding what data Happo processes helps contextualize the impact of any vulnerability:

• User data — email address, display name, and avatar URL (low-to-medium sensitivity).
• Billing metadata — company name, address, and zip code, handled internally. Payment card data is never stored by Happo; card processing is fully delegated to Stripe (PCI-DSS compliant).
• Customer data — screenshots, git SHAs, commit messages, PR titles, commit authors, and links to internal systems. This data is treated as confidential and is strictly access-controlled per account.

Our Security Practices

• All data is encrypted in transit and at rest.
• Continuous security scanning across our infrastructure, dependencies, and source code.
• Critical patches are targeted for immediate remediation and applied within 30 days at the latest.
• Regular penetration testing is conducted.
• Every security incident triggers a structured root-cause analysis (5 Whys) and a written postmortem.

Infrastructure & Sub-processors

Happo relies on a number of sub-processors for hosting, storage, monitoring, and other services. You can request a full list by emailing security@happo.io.

Bug Bounty

We do not currently offer monetary rewards. We do sincerely appreciate responsible disclosure and are happy to acknowledge researchers who report valid, in-scope issues.

Contact

Security reports: security@happo.io
Security owner: Henric Persson, CEO