Skip to main content
JoinFunds

Responsible Disclosure Policy

Last updated: 30 May 2026

1. Introduction

We take the security of JoinFunds and the privacy of our users' financial data seriously. We welcome reports from security researchers and members of the public who discover potential vulnerabilities in our systems. This policy explains how to report an issue to us and what you can expect in return.

This page is the human-readable counterpart to our machine-readable security.txt file, published in accordance with RFC 9116.

2. How to Report a Vulnerability

Please email a detailed report to security@joinfunds.app. To help us triage and reproduce the issue quickly, include where you can:

  • A clear description of the vulnerability and its potential impact.
  • Step-by-step instructions to reproduce it, including any proof-of-concept code, requests, or screenshots.
  • The affected URL, endpoint, or component.
  • Your name or handle if you would like to be credited (optional — see section 7).

Please report only one vulnerability per email so each report can be tracked independently.

3. Scope

The following assets are in scope for this policy:

  • The JoinFunds web application at joinfunds.app and its API.
  • The JoinFunds mobile application.

The following are explicitly out of scope:

  • Denial-of-service (DoS/DDoS), volumetric, or other resource-exhaustion attacks.
  • Social engineering, phishing, or physical attacks against JoinFunds staff or infrastructure.
  • Automated scanning that generates excessive traffic, and reports produced solely by automated tools without a demonstrated, exploitable impact.
  • Vulnerabilities in third-party services we rely on (e.g. Supabase, Stripe, Vercel) — please report those to the relevant vendor.
  • Best-practice suggestions with no demonstrable security impact (e.g. missing headers without a working exploit).

4. What to Expect From Us

  • Acknowledgement within 72 hours of receiving your report.
  • An initial assessment of severity and validity, with a follow-up, within 10 working days.
  • Regular updates on our progress towards a fix, and notification once the issue is resolved.
  • Coordinated disclosure timing — we will agree a reasonable public disclosure date with you once a fix is deployed.

5. Guidelines for Researchers

When investigating a potential vulnerability, we ask that you:

  • Make every effort to avoid privacy violations, data destruction, and service interruption.
  • Only interact with accounts you own or have explicit permission to test. Never access, modify, or delete another user's data.
  • Stop testing and report immediately if you encounter any user data, and do not download, copy, or retain more than is necessary to demonstrate the issue.
  • Keep the details of any vulnerability confidential until we have had a reasonable opportunity to resolve it.

6. Safe Harbour

We will not pursue or support legal action against researchers who discover and report vulnerabilities in good faith and in accordance with this policy. We consider activity conducted under this policy to be authorised, and we will not treat it as a violation of our Terms of Service. If a third party initiates legal action against you for activity that complied with this policy, we will make it known that your actions were authorised.

This safe-harbour commitment does not extend to actions that are reckless, malicious, or that intentionally harm our users or systems.

7. Recognition & Rewards

JoinFunds does not currently operate a formal bug-bounty programme, so we are unable to offer monetary rewards at this time. We are, however, sincerely grateful for every good-faith report. With your permission, we are happy to publicly acknowledge your contribution once an issue has been resolved.

8. Further Information

For an overview of how we protect your data, see our Security & Privacy page. For details on how we handle personal data, see our Privacy Policy.