Honest posture

Bug bounty

Public bounty launches when we can triage fairly. Private disclosures welcomed today.

We take security reports seriously. A formal public bug-bounty programme opens once we have the staffing to triage inside 48 hours. Until then, please disclose privately — we will credit you (with your permission) and pay where the policy below says we will.

Programme status: privatePublic launch: plannedDisclosure: responsible, 90-day default

How to reach us

One email, one PGP key.

Send reports to security@confinity.com. Include a proof of concept, the affected URL, and any suggested remediation. If your report contains PII (even as part of the PoC), encrypt it to our PGP key; the fingerprint is published on request and rotated annually.

security@confinity.com

PGP on request

Acknowledgement inside 72 hours

Scope

In scope and out of scope.

In scope

*.confinity.com web properties
/app signed-in surfaces
/api/* public endpoints
Authentication flows (sign-in, session handling, CSRF)
Payment flows (Founding Circle checkout)
Mobile + desktop apps once they are public

Out of scope

Third-party services we link to (report to them directly)
Social engineering of staff (we will not pay for this)
Physical attacks on our premises or personnel
Denial-of-service testing without prior written authorisation
Automated scanner output without a working proof of concept

Severity

How we classify and reward.

Critical
Top of range (published at public launch)
Account takeover, full data exfiltration, PII exposure at scale
High
Meaningful (published at public launch)
Authorisation bypass, content tampering, XSS on authenticated pages
Medium
Credit + modest bounty
CSRF without state change, reflected XSS on marketing surfaces
Low
Credit only
Information disclosure without PII, minor misconfiguration

Safe-harbour rules

Good-faith testing that complies with this scope will not be treated as a breach of our terms.
Please do not access, modify, or retain data that is not yours; stop as soon as the vulnerability is demonstrated.
Public disclosure may happen after the 90-day default window, or sooner with our mutual agreement.

Looking for more?

The Trust Centre indexes every honest doc we publish. The binding legal sits below it.

Back to the Trust Centre

Warrant canary

Ask a human

Preparing the pageOne moment - fetching quietly.

Public bounty launches when we can triage fairly. Private disclosures welcomed today.

Programme status: privatePublic launch: plannedDisclosure: responsible, 90-day default

Safe-harbour rules

Good-faith testing that complies with this scope will not be treated as a breach of our terms.

Please do not access, modify, or retain data that is not yours; stop as soon as the vulnerability is demonstrated.

Public disclosure may happen after the 90-day default window, or sooner with our mutual agreement.

Public bounty launches when we can triage fairly. Private disclosures welcomed today.

One email, one PGP key.

In scope and out of scope.

In scope

Out of scope

How we classify and reward.

Critical

High

Medium

Low

Safe-harbour rules

Looking for more?

Public bounty launches when we can triage fairly. Private disclosures welcomed today.

One email, one PGP key.

In scope and out of scope.

In scope

Out of scope

How we classify and reward.

Critical

High

Medium

Low

Safe-harbour rules

Looking for more?