Partnering with security researchers to build a safer financial platform for everyone

At Finholy LTD, protecting the confidentiality, integrity, and availability of our systems and customer data is our highest priority. We recognize that security is a shared responsibility that extends beyond our internal teams.
We deeply value the vital role of security researchers and ethical hackers in helping us identify and remediate vulnerabilities before they can be exploited. This policy outlines how you can responsibly disclose security issues to us and details our commitment to responding promptly and transparently.
Responsible disclosure means reporting security vulnerabilities privately to Finholy LTD, allowing us adequate time to investigate and fix issues before any public disclosure occurs.
This approach protects our users and ecosystem from potential exploitation while fostering a collaborative security community built on trust and mutual respect.
We encourage transparency and good-faith efforts to improve our security posture, creating a safer environment for everyone who relies on our platform.
Any Finholy LTD owned websites, web applications, APIs, and services that handle sensitive user or company data are within scope for security research.
This includes finholy.com, login.finholy.com, Finholy mobile applications on both iOS and Android platforms, and all related backend services that power our ecosystem.
Infrastructure components directly managed by Finholy LTD that have a material impact on security, user privacy, and data protection are also in scope.
To help researchers focus their efforts effectively, the following items are not covered by this program:
Issues in third-party services, plugins, or customer-hosted applications that are not directly controlled by Finholy LTD.
Non-exploitable findings such as missing security headers, verbose error messages without sensitive data exposure, or self-XSS that requires significant user interaction.
Denial of Service (DoS) attacks, social engineering attempts, phishing campaigns, or physical security testing against our facilities.
Vulnerabilities that do not materially affect confidentiality, integrity, or availability of systems or data.
Please send your detailed security report to support@finholy.com
Conduct your research ethically and avoid accessing data beyond what is strictly necessary to demonstrate the vulnerability's existence and impact.
Do not exploit vulnerabilities to modify, delete, or exfiltrate data from our systems or compromise user accounts.
Avoid disruption of services, degradation of performance, or denial of service attacks during your security testing activities.
Do not engage in phishing, social engineering, unauthorized access attempts, or any form of manipulation of our employees or users.
Respect user privacy and confidentiality at all times throughout your research and reporting process.
When you report a vulnerability in good faith, we promise to treat you fairly and professionally:
We pledge to acknowledge receipt of your report within 72 hours of submission.
We will work diligently to validate, prioritize, and remediate all confirmed vulnerabilities.
We will keep you informed of our progress and notify you when the issue is fully resolved.
We will not take legal action against researchers who comply with this policy.
Exceptional contributions may be recognized in our Hall of Fame or through discretionary rewards.
Reporting vulnerabilities in accordance with this policy provides you with safe harbor from legal action related to your authorized security research activities conducted in good faith.
We treat all vulnerability reports and related communications as strictly confidential information protected under our security protocols.
Public disclosure without prior written consent from Finholy LTD is prohibited and may be considered a violation of this policy, potentially removing safe harbor protections.
We believe in coordinated disclosure that balances transparency with responsible security practices. Once a vulnerability is remediated, we're happy to work with you on appropriate public disclosure timing.
We deeply appreciate the dedication, skill, and efforts of security researchers who help us keep Finholy LTD safe and secure. Your collaboration strengthens our platform, protects our users, and contributes to a more secure financial ecosystem.
Together, we build a safer digital future for millions of users worldwide. Thank you for being part of our security community and for your commitment to responsible disclosure.
"Security is not a product, but a process built on collaboration and trust."
Finholy LTD Responsible Disclosure Policy