Skip to main content

Free Shipping on orders over $500

Security

Responsible Disclosure

Express Tools takes the security of our platform and customer data seriously. If you believe you have found a security vulnerability, we encourage you to report it responsibly and we commit to working with you to address it promptly.

Scope

The following systems and services are in scope for security research:

  • The expresstools.com website and all subdomains
  • Customer-facing checkout and account flows
  • API endpoints under expresstools.com
  • Authentication and session management
  • Payment integration (note: do not test against live payment processors)

Out of Scope

Denial-of-service attacks, spam, social engineering of Express Tools staff, physical security attacks, third-party services (Stripe, Supabase, Vercel), and vulnerabilities in systems not operated by Express Tools. Testing must not degrade service availability or access other users' data.

How to Report

Email your findings to security@expresstools.com. Please include:

  • A clear description of the vulnerability and potential impact
  • Steps to reproduce (proof-of-concept or screenshots if applicable)
  • The affected URL, endpoint, or component
  • Your name or handle (for acknowledgment, if desired)

You may optionally encrypt your report using our PGP key — email security@expresstools.com to request it.

Our Response Commitment

Acknowledgment

Within 2 business days

We will confirm receipt of your report and assign it for review.

Initial assessment

Within 5 business days

We will assess severity and confirm whether the issue is valid and in scope.

Resolution

Varies by severity

Critical issues are prioritized; we will keep you updated on progress and notify you when a fix is deployed.

Safe Harbor

Express Tools will not pursue legal action against security researchers who:

  • Act in good faith to identify and report vulnerabilities
  • Avoid accessing, modifying, or exfiltrating any user data
  • Do not disrupt or degrade our services
  • Do not share vulnerability details publicly before we have deployed a fix (coordinated disclosure)
  • Comply with this policy and applicable law

We ask that you give us reasonable time — typically 90 days — to investigate and remediate before any public disclosure. We will work with you on the timing if you have concerns.

Recognition

Express Tools does not currently operate a paid bug bounty program. We cannot offer monetary rewards for vulnerability reports. However, we genuinely appreciate responsible disclosure and are happy to acknowledge researchers in our release notes (with your permission).

Ready to report?

Email security@expresstools.com with the details above. Thank you for helping keep Express Tools and our customers safe.

This policy was last updated July 2026. For the machine-readable version, see /.well-known/security.txt.

Gradelog — Earthwork Operating System

Free 30 days with every Express Tools purchase

Your equipment. Your data. All in one place.

Gradelog is the field-execution platform built for grading and earthwork crews. Log grade shots, track cut/fill, document phases with photos, and generate as-built reports — from the cab to the office.

  • Grade shots & cut/fill tracking per job
  • Photo documentation by phase, task, and equipment
  • As-built reports ready for inspector sign-off
  • AI field assistant — troubleshoot on the jobsite
Gradelog dashboard — live field overview with grade shots, photos, and equipment status

Built by the same team as Express Tools

Try Free →

30 days

Free trial

8 languages

Supported

iPhone + Android

Works on