Vulnerability Disclosure Policy
We take the security of our platform seriously. If you discover a security vulnerability, we encourage responsible disclosure and will work with you to resolve it promptly.
1. Scope
This policy applies to security vulnerabilities found in:
- sofibia.com and its subdomains (marketing website, application, public feedback forms)
- The Sofibia API and backend infrastructure
Out of scope: third-party services (Google OAuth, Lemon Squeezy, OpenAI), spam or social engineering, physical attacks, and issues in software we do not control.
2. How to Report
Send your report to security@sofibia.com. Please include:
- A clear description of the vulnerability
- Steps to reproduce
- Potential impact
- Your contact information (optional, if you want to be kept informed)
Encrypt your report with our PGP key if sending sensitive details โ key available on request at the address above.
3. Our Commitments
- We will acknowledge your report within 5 business days.
- We will keep you informed of our progress while we investigate.
- We will notify you when the issue is resolved.
- We will not take legal action against researchers acting in good faith under this policy.
4. Safe Harbor
We consider good-faith security research conducted under this policy to be authorised. We will not pursue civil or criminal action against researchers who:
- Report vulnerabilities through the channel above without exploiting them
- Avoid accessing, modifying, or deleting user data beyond what is necessary to demonstrate the vulnerability
- Do not perform denial-of-service attacks, social engineering, or physical attacks
- Do not disclose the vulnerability publicly before we have had reasonable time to address it
5. Bug Bounty
We do not currently operate a paid bug bounty programme. We are grateful for responsible disclosures and will publicly acknowledge reporters (with their consent) when the fix is released.
6. Contact
Security reports: security@sofibia.com
General security questions: security@sofibia.com