Responsible Disclosure

Vulnerability Disclosure Policy

Security researchers make Fintra safer, and we want reporting to us to be easy and safe. This policy defines what’s in scope, promises safe harbor for good-faith research, and explains what to expect after you email security@fintrahub.com. We don’t run a paid bounty yet - but we acknowledge researchers publicly and take every credible report seriously.

Scope

In scope: the Fintra web application and APIs under fintrahub.com and its subdomains, including authentication, tenant isolation, the AI agent runtime (AgentFence policy enforcement), and integration token handling.

  • In scope: cross-tenant data access, authentication/authorization bypass, injection, agent policy-gate bypasses, sensitive-data exposure.
  • Out of scope: denial-of-service and volumetric testing, spam/social engineering of Fintra staff or customers, physical attacks, and third-party services we don’t operate (report those to the vendor).
  • Out of scope: findings requiring a compromised device, self-XSS, and missing best-practice headers without demonstrated impact.
  • Never access, modify, or exfiltrate data belonging to other users - use your own test account and stop at proof of concept.

Safe harbor

If you make a good-faith effort to follow this policy, we consider your research authorized. Fintra will not initiate legal action against you or refer you for prosecution for security research conducted within scope, and we will not pursue claims under the CFAA or analogous laws for accidental, good-faith violations of this policy. If a third party takes action against you for research consistent with this policy, we will make it known that your activities were authorized. Safe harbor requires: no privacy violations beyond the minimum needed to demonstrate the issue, no service disruption, no data destruction, and giving us reasonable time to remediate before public disclosure.

How to report and what happens next

Email security@fintrahub.com with reproduction steps, affected endpoints, impact assessment, and redacted evidence. Then:

  • Within 2 business days: acknowledgment from a human on the security team.
  • Within 5 business days: initial severity assessment and remediation outlook.
  • Throughout: status updates as we fix - you will not be left guessing.
  • Coordinated disclosure: we ask for up to 90 days to remediate before public disclosure, negotiable for severity in either direction; we’ll tell you when the fix ships.

Recognition

We do not currently operate a paid bug bounty program - we’re honest about that rather than dangling vague rewards. What we do offer: prompt human responses, credited public acknowledgment for researchers who report valid issues (with your consent - anonymity respected on request), and a security team that treats a well-written report as a gift. When a paid program launches, this page and prior contributors will be the first to know.

Frequently asked questions

Do you pay bounties?

Not yet. We acknowledge valid reports publicly (with your consent), respond quickly and personally, and will notify prior contributors when a paid program launches - but we won’t imply rewards we don’t offer.

Will you take legal action against me for testing?

Not for good-faith research within this policy’s scope. Our safe-harbor commitment covers authorized research explicitly, including accidental, good-faith deviations - see the safe harbor section above for the exact conditions.

Can I test with a free account?

Yes - please do. Create your own account and tenant for testing. Never probe other tenants’ data; cross-tenant issues can be demonstrated safely between two accounts you own.

When can I publish my findings?

We ask for up to 90 days for remediation before public disclosure, and we’ll coordinate timing with you - often faster for straightforward fixes. We’ll confirm when the fix has shipped so your write-up can say so.

Questions about vulnerability disclosure?

Our security team answers due-diligence questions directly - documentation, DPAs, and evidence available on request.

Talk to our security team