Responsible Disclosure Policy
Security Vulnerability Reporting — CardFi Bug Bounty Programme
We genuinely appreciate security researchers who take the time to responsibly disclose vulnerabilities. If you've found a security issue in CardFi, please report it — we'll investigate promptly and recognise your contribution.
1. Our Commitment
CardFi is committed to keeping our platform and users safe. We welcome responsible disclosure from security researchers and will:
- Acknowledge your report within 48 hours
- Provide regular updates on investigation progress
- Work to resolve valid vulnerabilities within 30 days
- Credit you publicly (if you wish) upon resolution
- Not pursue legal action against researchers who act in good faith
2. Scope — In Scope
Primary Targets
cardfi.online — Main web platformapi.cardfi.online — API endpoints- CardFi mobile/PWA application
Vulnerability types we're particularly interested in:
- Authentication bypass or account takeover
- Authorisation flaws (accessing other users' data)
- XSS (Cross-Site Scripting) with significant impact
- SQL injection or database access
- Sensitive data exposure (card numbers, KYC documents)
- CSRF leading to account actions
- Business logic flaws (e.g. bypassing deposit verification)
- API security vulnerabilities
3. Out of Scope
- Denial of Service (DoS/DDoS) attacks
- Social engineering attacks against CardFi staff
- Physical attacks against infrastructure
- Vulnerabilities in third-party services not directly under our control
- Issues requiring unlikely user interaction (e.g. self-XSS)
- Rate limiting on non-sensitive endpoints
- Missing security headers with no exploitable impact
- Outdated software versions without proof of exploitability
4. Rules of Engagement
To qualify for responsible disclosure, you must:
- Only test against accounts you own or have explicit permission to test
- Not access, modify, or delete other users' data
- Not perform automated scanning without prior written permission
- Not publicly disclose the vulnerability before we've had 30 days to fix it
- Not exploit the vulnerability beyond what is necessary to demonstrate it
- Stop testing and report immediately if you encounter user data
5. What to Include in Your Report
A good vulnerability report includes:
- Clear description of the vulnerability and its impact
- Step-by-step reproduction instructions
- Screenshots, video, or proof-of-concept code
- Affected URL, endpoint, or component
- Your assessment of severity (critical/high/medium/low)
- Any suggested remediation (optional but appreciated)
6. Severity & Recognition
- Critical (e.g. RCE, mass account takeover): Public credit + potential reward
- High (e.g. auth bypass, data exposure): Public credit on our Hall of Fame
- Medium/Low: Acknowledgement and thanks
We do not currently operate a formal paid bug bounty programme, but we recognise outstanding contributions and may offer rewards at our discretion for critical findings.
Report a Vulnerability
Send your security report to our dedicated security email. Please encrypt sensitive findings using our PGP key if available.
security@cardfi.online
© 2025 CardFi Technologies Inc. All Rights Reserved.