Report a Vulnerability

Last Updated: January 20, 2025

1. Responsible Disclosure Program

At Linkfro, we take security seriously. We appreciate your efforts to responsibly disclose any security vulnerabilities you may discover in our systems.

Our security team is committed to responding promptly to legitimate security concerns and working with researchers to address them appropriately.

2. Scope of Systems

This vulnerability disclosure program applies to security issues that affect our production systems and services:

In Scope Systems

  • Production website and API endpoints
  • Mobile applications and services
  • Authentication and authorization systems
  • User data storage and processing systems
  • Payment processing infrastructure
  • Communication and messaging systems

Out of Scope Systems

  • Third-party services and integrations
  • Development and staging environments
  • Subdomains of third-party providers
  • Physical security of offices
  • Systems belonging to our customers

3. Types of Issues We Want to Hear About

We encourage you to report the following types of security vulnerabilities:

Critical Vulnerabilities

  • Remote code execution (RCE)
  • SQL injection and command injection
  • Server-side request forgery (SSRF)
  • Authentication bypass
  • Privilege escalation

High-Risk Vulnerabilities

  • Cross-site scripting (XSS)
  • Cross-site request forgery (CSRF)
  • Information disclosure
  • Broken authentication and session management
  • Security misconfigurations

Medium-Risk Vulnerabilities

  • Clickjacking
  • Weak cryptography
  • Improper input validation
  • Business logic flaws

4. What We Don't Want to Hear About

Please do not submit reports about the following:

  • SPAM, phishing, or social engineering
  • Denial of service (DoS/DDoS) attacks
  • Issues that require unrealistic preconditions
  • Self-XSS
  • Missing security best practices (without demonstrating exploitability)
  • Brute force attacks without demonstrating feasibility
  • Issues that are already known to our security team

5. How to Report a Vulnerability

Please follow these steps when reporting a security vulnerability:

Initial Report

  1. Contact us through our designated security channel
  2. Provide a clear description of the vulnerability
  3. Include steps to reproduce the issue
  4. Describe the potential impact
  5. Attach proof-of-concept code if available

Reporting Channels

Email: security@linkfro.com
PGP Key: Available upon request
Response Time: Within 48 hours
Time to Resolution: Typically within 30 days

6. Vulnerability Reporting Template

Please use the following template when reporting a vulnerability:

Subject: Security Vulnerability Report

1. Summary:
[Concise description of the vulnerability]

2. Location:
[URL or endpoint where the vulnerability exists]

3. Description:
[Detailed explanation of the vulnerability]

4. Steps to Reproduce:
[Step-by-step instructions to reproduce the issue]

5. Impact:
[Description of the potential impact]

6. Proof of Concept:
[Code or screenshots demonstrating the vulnerability]

7. Recommendation:
[Suggested fix or mitigation strategy]

8. Reporter Contact:
[Your contact information for follow-up]

7. Our Commitment to Researchers

We commit to the following when handling vulnerability reports:

Response Time

  • Initial acknowledgment within 48 hours
  • Confirmation of vulnerability within 7 days
  • Status updates every 14 days until resolution

Resolution Timeline

  • Critical vulnerabilities: 15 days
  • High-risk vulnerabilities: 30 days
  • Medium-risk vulnerabilities: 45 days

Recognition

We appreciate responsible disclosure and may offer recognition for significant contributions to our security posture.

8. Legal Safe Harbor

We support the responsible reporting of security vulnerabilities and will not initiate legal action against security researchers who:

  • Act in good faith when conducting security research
  • Report vulnerabilities according to this policy
  • Do not access or exfiltrate user data unnecessarily
  • Do not publicly disclose the vulnerability before 30 days
  • Do not engage in destructive testing

9. Bug Bounty Program

While we do not currently offer monetary rewards, we recognize and appreciate the efforts of security researchers. We may consider compensation for critical vulnerabilities that pose significant risk to our users.

10. Contact Information

For questions about our vulnerability disclosure program or to report a security issue, please contact us:

Primary Email: security@linkfro.com
Backup Email: legal@linkfro.com
Address: 123 Market Street, San Francisco, CA 94103
Responsible Disclosure: We will not take legal action against researchers who follow responsible disclosure practices.