Finholy LTD Responsible Disclosure Policy
Partnering with security researchers to build a safer financial platform for everyone
Our Commitment to Security and Collaboration
At Finholy LTD, protecting the confidentiality, integrity, and availability of our systems and customer data is our highest priority. We recognize that security is a shared responsibility that extends beyond our internal teams.
We deeply value the vital role of security researchers and ethical hackers in helping us identify and remediate vulnerabilities before they can be exploited. This policy outlines how you can responsibly disclose security issues to us and details our commitment to responding promptly and transparently.
What Is Responsible Disclosure?
Private Reporting
Responsible disclosure means reporting security vulnerabilities privately to Finholy LTD, allowing us adequate time to investigate and fix issues before any public disclosure occurs.
User Protection
This approach protects our users and ecosystem from potential exploitation while fostering a collaborative security community built on trust and mutual respect.
Transparency
We encourage transparency and good-faith efforts to improve our security posture, creating a safer environment for everyone who relies on our platform.
Scope: What Is In-Scope for Reporting?
01
Web Properties
Any Finholy LTD owned websites, web applications, APIs, and services that handle sensitive user or company data are within scope for security research.
02
Digital Platforms
This includes finholy.com, login.finholy.com, Finholy mobile applications on both iOS and Android platforms, and all related backend services that power our ecosystem.
03
Infrastructure
Infrastructure components directly managed by Finholy LTD that have a material impact on security, user privacy, and data protection are also in scope.
Out-of-Scope Vulnerabilities
To help researchers focus their efforts effectively, the following items are not covered by this program:
Third-Party Services
Issues in third-party services, plugins, or customer-hosted applications that are not directly controlled by Finholy LTD.
Low-Impact Findings
Non-exploitable findings such as missing security headers, verbose error messages without sensitive data exposure, or self-XSS that requires significant user interaction.
Disruptive Testing
Denial of Service (DoS) attacks, social engineering attempts, phishing campaigns, or physical security testing against our facilities.
Non-Security Issues
Vulnerabilities that do not materially affect confidentiality, integrity, or availability of systems or data.
How to Report a Vulnerability
Contact Information
Please send your detailed security report to support@finholy.com
What to Include in Your Report
- Vulnerability type and classification
- Affected product, service, or URL
- Detailed technical description
- Step-by-step reproduction instructions
- Proof of concept code or screenshots
- Date and time of discovery
- Any relevant logs or supporting evidence
Important: Keep all information confidential and do not share publicly until we have resolved the issue and provided clearance.
What We Ask From Researchers
Act in Good Faith
Conduct your research ethically and avoid accessing data beyond what is strictly necessary to demonstrate the vulnerability's existence and impact.
Respect Data Integrity
Do not exploit vulnerabilities to modify, delete, or exfiltrate data from our systems or compromise user accounts.
Maintain Service Availability
Avoid disruption of services, degradation of performance, or denial of service attacks during your security testing activities.
No Social Engineering
Do not engage in phishing, social engineering, unauthorized access attempts, or any form of manipulation of our employees or users.
Privacy First
Respect user privacy and confidentiality at all times throughout your research and reporting process.
Our Commitments to You
When you report a vulnerability in good faith, we promise to treat you fairly and professionally:
1
72 Hours
We pledge to acknowledge receipt of your report within 72 hours of submission.
2
Investigation
We will work diligently to validate, prioritize, and remediate all confirmed vulnerabilities.
3
Communication
We will keep you informed of our progress and notify you when the issue is fully resolved.
4
Legal Protection
We will not take legal action against researchers who comply with this policy.
5
Recognition
Exceptional contributions may be recognized in our Hall of Fame or through discretionary rewards.
Legal Safe Harbor and Confidentiality
Safe Harbor Protection
Reporting vulnerabilities in accordance with this policy provides you with safe harbor from legal action related to your authorized security research activities conducted in good faith.
Strict Confidentiality
We treat all vulnerability reports and related communications as strictly confidential information protected under our security protocols.
Coordinated Disclosure
Public disclosure without prior written consent from Finholy LTD is prohibited and may be considered a violation of this policy, potentially removing safe harbor protections.
We believe in coordinated disclosure that balances transparency with responsible security practices. Once a vulnerability is remediated, we're happy to work with you on appropriate public disclosure timing.
Thank You to Our Security Community
Building a Safer Future Together
We deeply appreciate the dedication, skill, and efforts of security researchers who help us keep Finholy LTD safe and secure. Your collaboration strengthens our platform, protects our users, and contributes to a more secure financial ecosystem.
Together, we build a safer digital future for millions of users worldwide. Thank you for being part of our security community and for your commitment to responsible disclosure.
"Security is not a product, but a process built on collaboration and trust."