Utah Arms Market
Utah Arms MarketAboutTrustSafetyVerifyBill of SaleFeatureProhibitedContactTermsPrivacyShop ↗
Utah Arms Market
Post
Utah Arms Market
About Utah Arms MarketTrust & SecuritySafety TipsBill of Sale GeneratorSupport LocalFeatured ListingsPlatform PoliciesTerms of Use
Post
Utah Arms Market
Post
Utah Arms Market
About Utah Arms MarketTrust & SecuritySafety TipsBill of Sale GeneratorSupport LocalFeatured ListingsPlatform PoliciesTerms of Use
Post

Why this page exists

How UTAM is tested and secured

A classified-ad platform asks people to trust it with their listings, their account, and their messages. We think that trust should be earned with evidence, not slogans. This page shows the actual practices, scanners, and test counts that protect the platform — published live so you can verify them yourself.

What this page is not: an offer to facilitate or guarantee any sale between users. UTAM is a classified-ad platform — buyers and sellers transact directly, in person, in compliance with Utah and federal law. The only money UTAM handles is its own ad fees, processed via Stripe.

How we approach safety

The principles that guide every change we ship.

Defense in depth

Three independent scanners look at the same product from different angles - dependencies, source code, and the running site. A vulnerability has to slip past all three to reach you.

Automated gates, not promises

Tests and security scans block deploys. We do not rely on memory or willpower to keep the platform safe; the pipeline refuses to ship a broken or vulnerable build.

Hardened by default

Security headers, strict cookie settings, server-side authorization, and Stripe-managed ad-billing data mean sensitive details never live in places they should not. UTAM does not handle the money for buyer-seller transactions — see how this works below.

Transparent reporting

The numbers below are pulled directly from the most recent CI run, not handwritten. If a scan is pending or a gate is failing, this page will say so.

Testing confidence

Every release is gated by these checks. Counts are pulled from the latest CI run.

554+ checks

Passing checks

554+

Across the entire codebase

Every change is gated by an automated suite that has to stay green before it can ship. We do not merge red builds.

Unit & integration

450

Pricing, validation, documents

Money math, listing validation, and the bill-of-sale generator are covered with assertion-level tests so a typo cannot ship a wrong price.

End-to-end journeys

100

Real browser flows

Buyers browsing, sellers posting, account changes, and messaging are exercised in a real browser before each release. If a flow breaks, the deploy stops.

Security cadence

Weekly

ZAP + Semgrep + npm audit

Dependency, code, and runtime scans run on a recurring schedule and on every change - not as a one-time launch checklist.

Last test run: May 29, 2026, 6:43 AM

Security pipeline

Three independent scans look at the platform from different angles. A change has to clear all three before it reaches you — critical/high findings on any of the three block the deploy.

npm audit

Clean

May 25, 2026, 2:51 PM

Checks every third-party package we depend on for known vulnerabilities.

OWASP ZAP

Pass

May 25, 2026, 2:51 PM

Probes the running site the same way an attacker would, checking headers, cookies, and common exploits.

Semgrep

1 findings

May 29, 2026, 6:35 AM

Static analysis of our own source code, looking for unsafe patterns before they reach production.

Third-party services

The vendors UTAM relies on and what each one handles. For exactly what data flows to each, see the Privacy Policy.

ServicePurpose
VercelHosting + image optimization
SupabaseAuth, database, storage
StripeAd-fee billing
CloudflareCDN + WAF + DNS
SentryError tracking
ResendTransactional email delivery

We minimize what each vendor receives. Card details for ad-fee billing go directly to Stripe and never touch our database. Sentry traces are scrubbed for PII before they leave the server.

Responsible disclosure

If you find a security issue on UTAM, we want to hear about it.

Where to send reports

Use our contact page.

Include reproduction steps, the affected URL or endpoint, and any proof-of-concept output. We'll route the report internally.

Response time

5 business days

We aim to acknowledge every good-faith report within five business days, with an initial assessment of severity and next steps.

In scope

The production platform at utaharmsmarket.com and any subdomain we operate. Authentication, ad-billing, listing data, messaging, and account controls are all fair game.

Out of scope

The third-party vendors listed above (please report directly to them), social engineering of staff, denial-of-service testing, and physical security.

Safe harbor

Good-faith research conducted under this policy will not result in legal action. Stay within scope, avoid degrading service for other users, and never access, modify, or retain data that does not belong to you. Stop and report as soon as you confirm an issue.

What this means for you

  • UTAM does not handle the money for buyer-seller transactions. UTAM is a classified-ad platform — buyers and sellers arrange and complete every sale directly, in person, in compliance with Utah and federal law. The only money UTAM collects is its own ad fees, billed through Stripe. Card details for those ad fees never touch our servers.
  • Your account is yours. Authentication is enforced server-side on every request. Cookies are locked down (HttpOnly, Secure, SameSite), and access decisions never rely on the browser alone.
  • Bugs are caught before you see them. Tests, scans, and gates run on every change. If something breaks, the build refuses to ship until it's fixed.
  • If something goes wrong, we want to know. See the responsible disclosure section for how to report a security issue. Good-faith reports are taken seriously and protected by safe harbor.