Vulnerability Disclosure Policy
Koyfin Inc. is committed to ensuring the security of our systems and our users' data. We appreciate the valuable role that security researchers play in keeping our community safe.
Our Commitment to Security
At Koyfin Inc., we take security seriously and implement multiple layers of protection:
- Encryption of all user data at rest
- Implementation of the principle of least privilege for data access
- Continuous security monitoring systems
- Multi-factor authentication (MFA) for all critical systems
- Regular security assessments and penetration testing
- Compliance with industry security standards
- Regular security training for all employees
Scope and Guidelines
In-Scope Systems
- *.koyfin.com domains and subdomains
- Koyfin mobile applications
- Koyfin API endpoints
- Any other Koyfin-owned web properties
What We Expect
- Submit detailed reports with clear proof of concepts
- Include step-by-step reproduction instructions
- Provide us reasonable time (minimum 90 days) to resolve issues before public disclosure
- Make good faith efforts to avoid privacy violations and disruptions to our services
- Only interact with test accounts you own
- Securely delete any data collected during testing
- Do not modify or access data that does not belong to you
Out of Scope / Prohibited Activities
- DDoS attacks or network denial of service testing
- Social engineering attempts against our employees
- Physical security testing of Koyfin offices
- Testing that involves accessing, modifying, or extracting user data
- Submission of multiple low-quality or generic vulnerability reports
- Testing of third-party applications, websites, or services that integrate with Koyfin
- Automated vulnerability scanners without manual verification
- Any testing that could impact the availability or integrity of our services
Reporting Process
To report a security vulnerability:
- Send your report to security@koyfin.com
- We will acknowledge your report within two business days
- Our security team will investigate and maintain communication with you throughout the process
- You'll receive updates as we investigate and resolve the issue
Report Requirements
Please include the following in your report:
- Detailed description of the potential vulnerability
- Step-by-step reproduction instructions
- Proof of concept (if applicable)
- Impact assessment
- Screenshots or videos demonstrating the issue
- Your name and contact information
- Any suggested remediation steps
Response Timeline
- Initial Response: Within 2 business days
- Status Update: Every 5 business days
- Resolution Goal: Within 90 days
Safe Harbor
Koyfin Inc. will not pursue legal action against security researchers who:
- Make good faith efforts to comply with this policy
- Follow responsible disclosure practices
- Do not engage in prohibited activities
- Report vulnerabilities in a timely manner
- Keep vulnerability details confidential until remediated
We may:
- Acknowledge researchers in our security hall of fame
- Provide letter of appreciation for responsible disclosure
- Notify law enforcement if we believe the research violates applicable laws
Program Terms
- This policy may be updated or modified at any time
- We review and update this policy annually
- Participation in this program does not create any employment or contractor relationship
- We reserve the right to modify these terms at any time