We take security very seriously at Achievable. If you believe you've found a security issue on Achievable, please let us know as soon as possible. We will investigate all legitimate reports and fix any issues.
We have given out rewards for reported issues on a case-by-case basis. Rewards vary depending on the security of the issue and are typically within $50 to $500 USD.
We encourage all valid reports. However, if you are simply going to run a minimal-effort scanner (e.g. Burp Suite or ZAP), please do not. We receive countless inelegible, non-exploitable "issues" from these scanners and will not reply; you will just be wasting your time and ours. Thank you.
Please also note that our access token system intentionally supports authenticating across multiple devices at the same time. If a user has signed into multiple devices, and then signs out of one device, the others should remain signed in. The persistence of access tokens is necessary to support this use case, and any request made using a valid access token from any device should succeed.