Security
Last updated: 2026-05-23
Reporting a vulnerability
If you discover a security issue in Dashed, please report it responsibly. Do not open a public GitHub issue for security vulnerabilities.
- Email: security@dashed.xyz
- Support: support@dashed.xyz
- Response time: We aim to acknowledge reports within 48 hours.
What we protect
Dashed is a virtual family money app. Balances are ledger-derived integers in a Supabase Postgres database — no real money or bank accounts are involved. Security depends on row-level security (RLS), role checks in RPCs, and family data isolation at the database layer.
App controls
- Sessions stored in encrypted secure storage on mobile devices.
- OAuth uses PKCE auth codes only; implicit hash-token flows are rejected.
- Family invite tokens are time-limited and validated server-side.
- Privacy overlay masks balances when the app is backgrounded.
- Screen capture is discouraged on kids balance screens.
Web controls
- Static site with no server-side secrets.
- HSTS, CSP, and related security headers on dashed.xyz.
- Auth callback strips sensitive query parameters from browser history.
See also our Privacy Policy and Terms of Use.