Free Shipping on orders over $500
Security
Responsible Disclosure
Express Tools takes the security of our platform and customer data seriously. If you believe you have found a security vulnerability, we encourage you to report it responsibly and we commit to working with you to address it promptly.
Scope
The following systems and services are in scope for security research:
- The expresstools.com website and all subdomains
- Customer-facing checkout and account flows
- API endpoints under expresstools.com
- Authentication and session management
- Payment integration (note: do not test against live payment processors)
Out of Scope
Denial-of-service attacks, spam, social engineering of Express Tools staff, physical security attacks, third-party services (Stripe, Supabase, Vercel), and vulnerabilities in systems not operated by Express Tools. Testing must not degrade service availability or access other users' data.
How to Report
Email your findings to security@expresstools.com. Please include:
- A clear description of the vulnerability and potential impact
- Steps to reproduce (proof-of-concept or screenshots if applicable)
- The affected URL, endpoint, or component
- Your name or handle (for acknowledgment, if desired)
You may optionally encrypt your report using our PGP key — email security@expresstools.com to request it.
Our Response Commitment
Acknowledgment
Within 2 business days
We will confirm receipt of your report and assign it for review.
Initial assessment
Within 5 business days
We will assess severity and confirm whether the issue is valid and in scope.
Resolution
Varies by severity
Critical issues are prioritized; we will keep you updated on progress and notify you when a fix is deployed.
Safe Harbor
Express Tools will not pursue legal action against security researchers who:
- Act in good faith to identify and report vulnerabilities
- Avoid accessing, modifying, or exfiltrating any user data
- Do not disrupt or degrade our services
- Do not share vulnerability details publicly before we have deployed a fix (coordinated disclosure)
- Comply with this policy and applicable law
We ask that you give us reasonable time — typically 90 days — to investigate and remediate before any public disclosure. We will work with you on the timing if you have concerns.
Recognition
Express Tools does not currently operate a paid bug bounty program. We cannot offer monetary rewards for vulnerability reports. However, we genuinely appreciate responsible disclosure and are happy to acknowledge researchers in our release notes (with your permission).
Ready to report?
Email security@expresstools.com with the details above. Thank you for helping keep Express Tools and our customers safe.
This policy was last updated July 2026. For the machine-readable version, see /.well-known/security.txt.

Free 30 days with every Express Tools purchase
Your equipment. Your data. All in one place.
Gradelog is the field-execution platform built for grading and earthwork crews. Log grade shots, track cut/fill, document phases with photos, and generate as-built reports — from the cab to the office.
- Grade shots & cut/fill tracking per job
- Photo documentation by phase, task, and equipment
- As-built reports ready for inspector sign-off
- AI field assistant — troubleshoot on the jobsite

Built by the same team as Express Tools
Try Free →30 days
Free trial
8 languages
Supported
iPhone + Android
Works on
