NachoCrunch

πŸ›‘οΈSecurity & Responsible Disclosure

NachoCrunch takes security seriously. If you've discovered a vulnerability in any of our systems, we want to hear from you. We'll respond quickly, credit you (if you wish), and work with you to fix the issue before public disclosure.

πŸ“œ Responsible Disclosure Policy Active

We welcome reports from security researchers acting in good faith. If you follow this policy, we will:

Please do:

Please don't:

🎯 Scope

In Scope

  • app.nachocrunch.com
  • api.nachocrunch.com
  • Public rate-quote endpoints
  • Embeddable widget JS
  • Authentication / RBAC flows

Out of Scope

  • Third-party integrations (Encompass, Calyx, etc.)
  • Vendor SaaS dashboards we embed from
  • Physical security / social engineering
  • Rate-limit bypass by distributed IPs
  • Self-XSS or browser-only issues

πŸ’° Bounty Program Pre-launch

Our bug bounty program is being formalized. In the meantime, we recognize significant findings with swag, Hall of Fame credit, and β€” at our discretion β€” cash rewards for critical impact reports. Contact security@aspirehomeloans.com for details.

πŸ“¬ File a Report

Use this form to submit a vulnerability report. You'll receive a tracking token you can use to check status at any time. For sensitive reports, you may encrypt the contents with our PGP key (below) and email them directly.

Prefer email? Send your report to security@aspirehomeloans.com. We reply to every report.

πŸ” PGP Key

For particularly sensitive reports, encrypt with our PGP key:

-----BEGIN PGP PUBLIC KEY BLOCK-----
(PGP key placeholder β€” our security team will publish the live key here.)
Fingerprint: 0000 0000 0000 0000 0000  0000 0000 0000 0000 0000
-----END PGP PUBLIC KEY BLOCK-----

πŸ† Hall of Fame

Researchers who have helped make NachoCrunch safer will be listed here (opt-in). Be the first β€” submit a report above.