Vulnerability Disclosure Policy
We welcome and appreciate responsible disclosure of security vulnerabilities by the security research community.
Our Commitment
Adfynx is committed to working with security researchers to verify, reproduce, and respond to legitimate reported vulnerabilities. We will not pursue legal action against researchers who:
- Follow this disclosure policy
- Act in good faith and avoid privacy violations, data destruction, or service disruption
- Give us reasonable time to fix issues before public disclosure
Scope
In Scope
The following assets are in scope for vulnerability disclosure:
- adfynx.com and all subdomains (e.g., app.adfynx.com, api.adfynx.com)
- Adfynx web application and API endpoints
- Mobile applications (if applicable)
- Authentication and authorization mechanisms
- Data handling and storage systems
Out of Scope
The following are explicitly out of scope:
- Third-party services and infrastructure (Vercel, Railway, Supabase, etc.)
- Social engineering attacks against Adfynx employees or customers
- Physical attacks against Adfynx offices or data centers
- Denial of Service (DoS/DDoS) attacks
- Spam or social engineering content
- Reports from automated tools without validation
Vulnerability Types of Interest
We are particularly interested in the following types of vulnerabilities:
Critical
- Remote Code Execution (RCE)
- SQL Injection leading to data access
- Authentication bypass
- Privilege escalation to admin
- Direct access to customer data without authorization
High
- Cross-Site Scripting (XSS) with significant impact
- Cross-Site Request Forgery (CSRF) on sensitive actions
- Insecure Direct Object References (IDOR) exposing sensitive data
- Server-Side Request Forgery (SSRF)
- XML External Entity (XXE) attacks
Medium
- Information disclosure of non-sensitive data
- Broken access control on non-critical features
- Security misconfigurations with demonstrable impact
- Missing security headers with exploitable scenarios
Low
- Self-XSS without further impact
- Missing security headers without exploitable scenarios
- Information disclosure of non-sensitive public information
- Best practice recommendations
How to Report a Vulnerability
Reporting Channel
Please send vulnerability reports to:
PGP key for encrypted communications: Available upon request
What to Include
Please provide as much detail as possible to help us understand and reproduce the issue:
- Vulnerability Type: What kind of vulnerability is it? (e.g., XSS, SQL Injection, IDOR)
- Affected Asset: Which URL, endpoint, or component is affected?
- Steps to Reproduce: Detailed steps to reproduce the vulnerability
- Proof of Concept: Code, screenshots, or video demonstrating the issue
- Impact: What can an attacker do with this vulnerability?
- Suggested Fix: (Optional) How you think it should be fixed
- Your Contact Info: How we can reach you for follow-up questions
Important
- • Do not access or modify customer data beyond what's necessary to demonstrate the vulnerability
- • Do not perform actions that could harm service availability or data integrity
- • Do not publicly disclose the vulnerability before we've had a chance to fix it
Our Response Process
Acknowledgment
We will acknowledge receipt of your report within 2 business days and provide a tracking ID.
Triage & Validation
We will validate the vulnerability and assess its severity within 5 business days. We may contact you for additional information.
Remediation
We will work to fix the vulnerability based on severity:
- Critical: Within 7 days
- High: Within 30 days
- Medium: Within 90 days
- Low: Best effort, may be included in regular updates
Notification
We will notify you when the vulnerability is fixed and verified. If the issue affects customer data, we will also notify affected customers.
Public Disclosure
After the fix is deployed, we will coordinate with you on public disclosure timing. We prefer a 90-day disclosure window but are flexible based on severity.
Recognition & Rewards
Hall of Fame
We maintain a public Hall of Fame to recognize security researchers who have responsibly disclosed valid vulnerabilities. With your permission, we will list:
- Your name or handle
- Link to your website or social media (optional)
- Month and year of disclosure
- General vulnerability category (not specific details)
Bug Bounty Program
We are currently evaluating a bug bounty program. While we do not offer monetary rewards at this time, we greatly appreciate your contributions to our security. For significant findings, we may provide recognition, swag, or service credits as a token of our appreciation.
Safe Harbor
Adfynx considers security research conducted under this policy to be:
- Authorized in accordance with the Computer Fraud and Abuse Act (CFAA) and similar laws
- Exempt from restrictions in our Terms of Service that would interfere with security research
- Lawful and we will not pursue legal action against researchers who comply with this policy
This Safe Harbor applies only to security research conducted in good faith under this policy. It does not authorize testing on third-party systems or services.
Frequently Asked Questions
A: Yes, but please be careful not to harm service availability or access/modify customer data beyond what's necessary to demonstrate the vulnerability. Use test accounts when possible.
Contact Information
- Security Reports: security@adfynx.com
- General Questions: support@adfynx.com
- PGP Key: Available upon request
Last updated: December 19, 2025