The security of the FinTrack project and its users is our highest priority. We deeply value the efforts of our community and well-intentioned security researchers in helping us keep our projects secure. If you believe you have discovered a security vulnerability, we ask that you report your findings to us responsibly.

This policy outlines how to report potential security vulnerabilities to us and what you can expect from us after you submit your report.

This policy applies to assets that are directly managed and controlled by the FinTrackWebApi project itself.

The following items are out of scope and will not be considered under this policy:

• Denial of Service (DoS/DDoS) Attacks: Please do not conduct DoS tests against our services.
• Social Engineering or Phishing: Attempts at social engineering directed at our project team or users.
• Physical Security: Attempts to breach the physical security of our data centers or offices.
• Automated Scanner Reports: Unverified reports generated by vulnerability scanners (e.g., Qualys, Nessus, Zap) without manual testing. Please ensure your report includes a Proof of Concept.
• Lack of Best Practices: Issues that are not directly exploitable vulnerabilities, such as missing SPF/DKIM/DMARC records or a lack of rate-limiting. (You can adjust this item based on your needs)
• User-Side Issues: Problems arising from outdated browsers or compromised end-user devices.

When you discover a potential security vulnerability, please do not disclose this information through public GitHub Issues, discussions, or social media.

Instead, use one of the following methods:

We strongly encourage you to use GitHub's built-in private reporting feature to ensure your findings reach us securely. This makes it easier for us to track the process and communicate with you.

>> Report a Vulnerability via GitHub <<

If you are unable to use GitHub, you can send your findings directly via email to security@fintrack-example.com.

• Please include [SECURITY] FinTrackWebApi Vulnerability Report in the subject line.
• If possible, encrypt your email with our PGP key. (If you have a PGP key, you can add it here; this is much more professional)

We are committed to the following for researchers who follow our responsible disclosure policy:

1. Acknowledgment: We will acknowledge receipt of your report within 2 business days.
2. Initial Triage: We will review your report and provide an initial assessment (validity, severity, etc.) within 5 business days.
3. Resolution Process: Depending on the severity of the vulnerability, we will establish a resolution timeline and keep you regularly informed of our progress. We aim to resolve critical vulnerabilities as quickly as possible.
4. Public Disclosure and Attribution: After a fix is released, we will coordinate with you on the public disclosure of your finding, if you wish. It is important for us to give you the credit you deserve and thank you for your contribution.

We do not currently have a formal bug bounty program with monetary rewards. However, we appreciate the contributions of all researchers who report a valid vulnerability and cooperate with us responsibly.

We will gladly acknowledge contributors, if they desire, in our release notes or on a "Hall of Fame" page on our project's website.

As long as you conduct your security research in good faith and in accordance with this policy, we will consider your activities to be authorized, and we will not initiate legal action against you or request an investigation from law enforcement. If a third party initiates legal action against you in connection with your activities, we will take steps to make it known that your actions were conducted in compliance with this policy.

Please:

• Avoid violating the privacy of user data, disrupting financial transactions, or damaging production systems.
• Interact only with the minimum amount of data necessary to confirm the vulnerability.

Thank you for helping us make FinTrack more secure.