Finholy LTD Responsible Disclosure Policy

Partnering with security researchers to build a safer financial platform for everyone

Our Commitment to Security and Collaboration

At Finholy LTD, protecting the confidentiality, integrity, and availability of our systems and customer data is our highest priority. We recognize that security is a shared responsibility that extends beyond our internal teams.

We deeply value the vital role of security researchers and ethical hackers in helping us identify and remediate vulnerabilities before they can be exploited. This policy outlines how you can responsibly disclose security issues to us and details our commitment to responding promptly and transparently.

What Is Responsible Disclosure?

Private Reporting

Responsible disclosure means reporting security vulnerabilities privately to Finholy LTD, allowing us adequate time to investigate and fix issues before any public disclosure occurs.

User Protection

This approach protects our users and ecosystem from potential exploitation while fostering a collaborative security community built on trust and mutual respect.

Transparency

We encourage transparency and good-faith efforts to improve our security posture, creating a safer environment for everyone who relies on our platform.

Scope: What Is In-Scope for Reporting?

01

Web Properties

Any Finholy LTD owned websites, web applications, APIs, and services that handle sensitive user or company data are within scope for security research.

02

Digital Platforms

This includes finholy.com, login.finholy.com, Finholy mobile applications on both iOS and Android platforms, and all related backend services that power our ecosystem.

03

Infrastructure

Infrastructure components directly managed by Finholy LTD that have a material impact on security, user privacy, and data protection are also in scope.

Out-of-Scope Vulnerabilities

To help researchers focus their efforts effectively, the following items are not covered by this program:

Third-Party Services

Issues in third-party services, plugins, or customer-hosted applications that are not directly controlled by Finholy LTD.

Low-Impact Findings

Non-exploitable findings such as missing security headers, verbose error messages without sensitive data exposure, or self-XSS that requires significant user interaction.

Disruptive Testing

Denial of Service (DoS) attacks, social engineering attempts, phishing campaigns, or physical security testing against our facilities.

Non-Security Issues

Vulnerabilities that do not materially affect confidentiality, integrity, or availability of systems or data.

How to Report a Vulnerability

Contact Information

Please send your detailed security report to support@finholy.com

What to Include in Your Report

  • Vulnerability type and classification
  • Affected product, service, or URL
  • Detailed technical description
  • Step-by-step reproduction instructions
  • Proof of concept code or screenshots
  • Date and time of discovery
  • Any relevant logs or supporting evidence

What We Ask From Researchers

Act in Good Faith

Conduct your research ethically and avoid accessing data beyond what is strictly necessary to demonstrate the vulnerability's existence and impact.

Respect Data Integrity

Do not exploit vulnerabilities to modify, delete, or exfiltrate data from our systems or compromise user accounts.

Maintain Service Availability

Avoid disruption of services, degradation of performance, or denial of service attacks during your security testing activities.

No Social Engineering

Do not engage in phishing, social engineering, unauthorized access attempts, or any form of manipulation of our employees or users.

Privacy First

Respect user privacy and confidentiality at all times throughout your research and reporting process.

Our Commitments to You

When you report a vulnerability in good faith, we promise to treat you fairly and professionally:

1

72 Hours

We pledge to acknowledge receipt of your report within 72 hours of submission.

2

Investigation

We will work diligently to validate, prioritize, and remediate all confirmed vulnerabilities.

3

Communication

We will keep you informed of our progress and notify you when the issue is fully resolved.

4

Legal Protection

We will not take legal action against researchers who comply with this policy.

5

Recognition

Exceptional contributions may be recognized in our Hall of Fame or through discretionary rewards.

Legal Safe Harbor and Confidentiality

Safe Harbor Protection

Reporting vulnerabilities in accordance with this policy provides you with safe harbor from legal action related to your authorized security research activities conducted in good faith.

Strict Confidentiality

We treat all vulnerability reports and related communications as strictly confidential information protected under our security protocols.

Coordinated Disclosure

Public disclosure without prior written consent from Finholy LTD is prohibited and may be considered a violation of this policy, potentially removing safe harbor protections.


We believe in coordinated disclosure that balances transparency with responsible security practices. Once a vulnerability is remediated, we're happy to work with you on appropriate public disclosure timing.

Thank You to Our Security Community

Building a Safer Future Together

We deeply appreciate the dedication, skill, and efforts of security researchers who help us keep Finholy LTD safe and secure. Your collaboration strengthens our platform, protects our users, and contributes to a more secure financial ecosystem.

Together, we build a safer digital future for millions of users worldwide. Thank you for being part of our security community and for your commitment to responsible disclosure.

"Security is not a product, but a process built on collaboration and trust."