Legal document

Security and Responsible Disclosure Policy

PALMBAY SOFTWARE LTD trading as MotoMoto App

Version1.0
Last Updated28 April 2026
Effective Date9 May 2026
Permanent URLhttps://moto-moto.app/legal/security

1. About this Policy

1.1. This Security and Responsible Disclosure Policy ("Policy") explains how security researchers and users can report potential vulnerabilities affecting MotoMoto App.

1.2. MotoMoto App is operated by PALMBAY SOFTWARE LTD, a company registered in England and Wales under company number 16380280, with its registered office at 20 Wenlock Road, London, N1 7GU, England. MotoMoto App is an unregistered trading name of PALMBAY SOFTWARE LTD.

1.3. We welcome good-faith security reports that help protect our users, Hosts, customers, systems, and Platform.

1.4. This Policy does not create a paid bug bounty programme, employment relationship, agency relationship, or obligation to pay rewards.

2. Scope

2.1. This Policy applies to security issues affecting:

(a) the MotoMoto App website at https://moto-moto.app/;

(b) the MotoMoto App mobile application, where publicly available;

(c) public API endpoints owned or operated by PALMBAY SOFTWARE LTD, where applicable; and

(d) MotoMoto App implementation or configuration issues that could reasonably affect user security, privacy, booking integrity, payments, payouts, identity verification, or Platform safety.

2.2. Third-party services are outside the scope of this Policy unless the vulnerability is caused by MotoMoto App's implementation or configuration.

2.3. Issues affecting Stripe, Wise, Apple, Google, OVHcloud, or other third-party services should be reported to those providers through their own security reporting channels unless the issue arises from MotoMoto App's implementation.

3. How to report a vulnerability

3.1. Report security concerns to: security@moto-moto.app

3.2. Please include as much of the following as possible:

(a) a clear description of the issue;

(b) the affected URL, endpoint, feature, platform, or app version;

(c) steps to reproduce the issue;

(d) the potential impact;

(e) screenshots, logs, or proof-of-concept information where safe to share;

(f) your contact details;

(g) whether any personal data, customer data, Host data, payment data, identity data, secrets, or production data was accessed; and

(h) whether you have already disclosed the issue to anyone else.

3.3. Do not include unnecessary personal data or secrets in your report.

4. Good-faith research rules

4.1. To remain within this Policy, you must:

(a) act in good faith;

(b) use only accounts you own or are authorised to use;

(c) use minimal testing necessary to confirm the issue;

(d) avoid privacy harm, safety harm, service disruption, and data exposure;

(e) stop testing immediately if you access personal data, customer data, Host data, payment data, identity data, secrets, or production systems beyond what is necessary to prove the vulnerability;

(f) report the issue promptly to security@moto-moto.app;

(g) not exploit the issue beyond a minimal proof of concept;

(h) keep information confidential until we authorise disclosure or a reasonable coordinated disclosure process has completed; and

(i) comply with applicable law.

4.2. If you are unsure whether testing is permitted, contact security@moto-moto.app before proceeding.

5. Prohibited activities

5.1. The following activities are not authorised:

(a) data exfiltration;

(b) accessing, copying, modifying, deleting, or retaining personal data or confidential information;

(c) denial-of-service or resource exhaustion testing;

(d) spam;

(e) phishing;

(f) social engineering;

(g) physical attacks;

(h) malware or harmful code;

(i) credential stuffing;

(j) brute forcing;

(k) extortion or threats;

(l) persistence, backdoors, or unauthorised access maintenance;

(m) lateral movement;

(n) bypassing payments or attempting to obtain services without payment;

(o) changing, cancelling, creating, or interfering with bookings;

(p) interfering with vehicles, Hosts, customers, payments, payouts, identity verification, safety systems, operational systems, or support systems;

(q) testing against Stripe, Wise, Apple, Google, OVHcloud, or other third-party services except through those providers' own authorised programmes;

(r) public disclosure before responsible disclosure has been coordinated; or

(s) any activity that is unlawful, destructive, unsafe, privacy-invasive, or disruptive.

6. Safe harbour

6.1. If you comply with this Policy, act in good faith, avoid privacy harm and service disruption, do not exploit beyond a minimal proof of concept, report promptly, and keep information confidential until authorised disclosure, we will not knowingly initiate legal action against you for the security research itself.

6.2. This limited safe harbour applies only to PALMBAY SOFTWARE LTD and only to conduct that complies with this Policy.

6.3. Safe harbour does not apply to illegal, harmful, extortionate, destructive, coercive, privacy-invasive, or disruptive conduct.

6.4. We cannot grant immunity from action by third parties, regulators, law enforcement, service providers, app stores, payment providers, hosting providers, or affected users.

6.5. We may still take action necessary to protect users, systems, data, vehicles, bookings, payments, payouts, safety, or legal obligations.

7. No paid bug bounty unless stated

7.1. PALMBAY SOFTWARE LTD does not offer a paid bug bounty programme unless expressly announced in writing.

7.2. Security reports are voluntary.

7.3. We may, at our discretion, acknowledge helpful reports, but we do not guarantee payment, reward, public credit, response time, or remediation outcome.

8. What happens after a report

8.1. We will review reports submitted to security@moto-moto.app.

8.2. Where possible, we may acknowledge receipt.

8.3. We may triage, investigate, reproduce, prioritise, remediate, monitor, or close the report depending on severity, exploitability, evidence, scope, and risk.

8.4. We may ask for additional information.

8.5. For security reasons, we may not provide detailed status updates, internal analysis, implementation details, or remediation timelines.

8.6. Where coordinated disclosure is appropriate, we may agree a disclosure process with you.

9. Privacy and data handling

9.1. If you accidentally access personal data, customer data, Host data, payment data, identity data, secrets, or confidential data, you must:

(a) stop testing immediately;

(b) not copy, retain, share, download, transfer, modify, delete, or further access the data;

(c) report the incident immediately to security@moto-moto.app; and

(d) securely delete any data you received or retained, unless we instruct otherwise for lawful evidence preservation.

9.2. We may process your name, email address, report content, technical information, and communications to handle your report, protect the Platform, comply with legal obligations, and maintain security records.

9.3. Privacy questions may be sent to privacy@moto-moto.app.

10. Out-of-scope examples

10.1. The following are generally out of scope unless you demonstrate practical security impact:

(a) missing or weak security headers without exploitability;

(b) email authentication configuration issues without demonstrated abuse risk;

(c) clickjacking without sensitive impact;

(d) rate-limit observations without practical abuse;

(e) self-XSS;

(f) reports generated only by automated scanners without proof of impact;

(g) social engineering scenarios;

(h) physical access attacks;

(i) vulnerabilities affecting only outdated browsers, devices, or unsupported operating systems;

(j) issues requiring a compromised device, rooted device, jailbroken device, or prior account compromise without additional impact;

(k) generic best-practice suggestions without a specific vulnerability; and

(l) user enumeration without meaningful risk or exploitability.

10.2. We may still review out-of-scope reports at our discretion, but we are not obliged to respond or take action.

11. Safety, fraud, and operational issues

11.1. This security channel is for vulnerability reporting. It is not the correct channel for urgent rental issues, accidents, personal safety concerns, booking disputes, payment disputes, or complaints.

11.2. Urgent rental or safety issues should be reported to +44 7700 182876 and support@moto-moto.app.

11.3. Complaints should be handled through the Complaints Procedure at https://moto-moto.app/legal/complaints.

11.4. Fraud, suspicious payment activity, identity misuse, or account takeover concerns may be sent to support@moto-moto.app or security@moto-moto.app depending on urgency and technical nature.

12. Public disclosure

12.1. Do not publicly disclose a vulnerability before we have had a reasonable opportunity to assess and remediate it.

12.2. We may ask you to delay disclosure where additional time is reasonably needed to protect users, data, payments, bookings, systems, or safety.

12.3. We may decline public disclosure where disclosure would create disproportionate risk, reveal sensitive security information, affect third parties, or compromise user safety or privacy.

12.4. Any public credit is at our discretion and subject to your compliance with this Policy.

13. Changes

13.1. We may update this Policy from time to time.

13.2. The current version is available at https://moto-moto.app/legal/security.

13.3. Security research is governed by the version in effect at the time of the research and report, unless a later version provides clearer or more protective terms.

14. Contact

Security reports: security@moto-moto.app Urgent rental or safety issues: +44 7700 182876 and support@moto-moto.app Privacy Contact: privacy@moto-moto.app Support: support@moto-moto.app

END OF SECURITY AND RESPONSIBLE DISCLOSURE POLICY