Responsible Disclosure Policy

Defenty is a security product — we take the integrity of our own platform seriously. If you discover a security vulnerability in Defenty's infrastructure, web application, API, or scanning pipeline, we encourage you to disclose it to us responsibly. We will investigate all credible reports and act quickly to resolve confirmed issues.

Send your report to report@defenty.com with the subject line [SECURITY] <brief description>.

Please include as much of the following as possible:

• A clear description of the vulnerability and its potential impact;
• Step-by-step reproduction instructions;
• The URL, endpoint, or component affected;
• Any proof-of-concept code, screenshots, or HTTP request/response captures;
• Your suggested severity (Critical / High / Medium / Low);
• Whether you would like to be credited in any public acknowledgement (name or handle).

We will acknowledge your report within 2 business days and provide a resolution timeline within 7 business days.

The following assets are in scope for responsible disclosure:

• defenty.com — the web application, including all subdomains (e.g., api.defenty.com);
• API endpoints — REST API at api.defenty.com;
• Scan result pages — authentication, access control, and data isolation between scan reports;
• Email OTP flow — the verification flow used to authenticate scan requests;
• Checkout and payment flow — Stripe integration and session handling.

The following are not in scope:

• Vulnerabilities in third-party services (Stripe, ipapi.co, cloud providers) — report these directly to the respective vendor;
• Social engineering attacks targeting Defenty staff;
• Physical attacks against infrastructure;
• Denial of service (DoS/DDoS) attacks;
• Automated scanning of Defenty's own infrastructure using Defenty or other tools without prior written permission;
• Vulnerabilities requiring physical access to a user's device;
• Reports generated by automated scanners without manual validation (we will acknowledge but likely will not act on unvalidated automated findings).

We will not pursue legal action against researchers who:

• Discover and report security vulnerabilities in good faith under this policy;
• Do not access, modify, or exfiltrate user data beyond what is strictly necessary to demonstrate the vulnerability;
• Do not disrupt the availability of the platform or degrade the experience of other users;
• Do not publicly disclose the vulnerability before we have had a reasonable opportunity to investigate and remediate it (see Coordinated Disclosure below).

This safe harbour is limited to activities that comply strictly with the terms set out in this policy. Activities outside these boundaries remain prohibited and may be prosecuted under applicable law.

We follow a coordinated disclosure model. Once a vulnerability is reported:

• We will aim to confirm the issue within 7 business days;
• We will develop and deploy a fix within 30 days for critical/high severity issues, and within 90 days for medium/low severity issues;
• We will notify you when the fix is deployed and agree on a public disclosure timeline;
• If you wish to publish a write-up after remediation, we ask that you coordinate the timing with us and give us at least 72 hours notice before publication.

In cases where we are unable to meet these timelines due to exceptional complexity, we will communicate openly with you about the delay and an updated timeline.

• Test only against accounts and domains you own or control;
• Do not access, download, or modify data belonging to other users — if you encounter other users' data accidentally, stop immediately and include this in your report;
• Avoid actions that could impact platform availability;
• Keep vulnerability details confidential until we jointly agree on disclosure;
• Act in good faith — the spirit of this policy is collaboration, not exploitation.

We do not currently operate a paid bug bounty programme. However, we genuinely appreciate the effort responsible researchers put into improving the security of our platform. Confirmed, previously unknown vulnerabilities of Medium severity or higher will be acknowledged in our security hall of fame (if the researcher consents), and we may offer discretionary recognition at our sole discretion.

For security vulnerability reports:

report@defenty.com

For all other inquiries:

contact@defenty.com

São Paulo, Brazil