Defense in depth
Three independent scanners look at the same product from different angles - dependencies, source code, and the running site. A vulnerability has to slip past all three to reach you.
Why this page exists
A classified-ad platform asks people to trust it with their listings, their account, and their messages. We think that trust should be earned with evidence, not slogans. This page shows the actual practices, scanners, and test counts that protect the platform — published live so you can verify them yourself.
What this page is not: an offer to facilitate or guarantee any sale between users. UTAM is a classified-ad platform — buyers and sellers transact directly, in person, in compliance with Utah and federal law. The only money UTAM handles is its own ad fees, processed via Stripe.
The principles that guide every change we ship.
Three independent scanners look at the same product from different angles - dependencies, source code, and the running site. A vulnerability has to slip past all three to reach you.
Tests and security scans block deploys. We do not rely on memory or willpower to keep the platform safe; the pipeline refuses to ship a broken or vulnerable build.
Security headers, strict cookie settings, server-side authorization, and Stripe-managed ad-billing data mean sensitive details never live in places they should not. UTAM does not handle the money for buyer-seller transactions — see how this works below.
The numbers below are pulled directly from the most recent CI run, not handwritten. If a scan is pending or a gate is failing, this page will say so.
Every release is gated by these checks. Counts are pulled from the latest CI run.
Passing checks
554+
Across the entire codebase
Every change is gated by an automated suite that has to stay green before it can ship. We do not merge red builds.
Unit & integration
450
Pricing, validation, documents
Money math, listing validation, and the bill-of-sale generator are covered with assertion-level tests so a typo cannot ship a wrong price.
End-to-end journeys
100
Real browser flows
Buyers browsing, sellers posting, account changes, and messaging are exercised in a real browser before each release. If a flow breaks, the deploy stops.
Security cadence
Weekly
ZAP + Semgrep + npm audit
Dependency, code, and runtime scans run on a recurring schedule and on every change - not as a one-time launch checklist.
Last test run: May 29, 2026, 6:43 AM
Three independent scans look at the platform from different angles. A change has to clear all three before it reaches you — critical/high findings on any of the three block the deploy.
npm audit
Clean
May 25, 2026, 2:51 PM
Checks every third-party package we depend on for known vulnerabilities.
OWASP ZAP
Pass
May 25, 2026, 2:51 PM
Probes the running site the same way an attacker would, checking headers, cookies, and common exploits.
Semgrep
1 findings
May 29, 2026, 6:35 AM
Static analysis of our own source code, looking for unsafe patterns before they reach production.
The vendors UTAM relies on and what each one handles. For exactly what data flows to each, see the Privacy Policy.
| Service | Purpose |
|---|---|
| Vercel | Hosting + image optimization |
| Supabase | Auth, database, storage |
| Stripe | Ad-fee billing |
| Cloudflare | CDN + WAF + DNS |
| Sentry | Error tracking |
| Resend | Transactional email delivery |
We minimize what each vendor receives. Card details for ad-fee billing go directly to Stripe and never touch our database. Sentry traces are scrubbed for PII before they leave the server.
If you find a security issue on UTAM, we want to hear about it.
Use our contact page.
Include reproduction steps, the affected URL or endpoint, and any proof-of-concept output. We'll route the report internally.
5 business days
We aim to acknowledge every good-faith report within five business days, with an initial assessment of severity and next steps.
The production platform at utaharmsmarket.com and any subdomain we operate. Authentication, ad-billing, listing data, messaging, and account controls are all fair game.
The third-party vendors listed above (please report directly to them), social engineering of staff, denial-of-service testing, and physical security.
Good-faith research conducted under this policy will not result in legal action. Stay within scope, avoid degrading service for other users, and never access, modify, or retain data that does not belong to you. Stop and report as soon as you confirm an issue.