Findby

Legal

Security policy.

Effective 2026-05-23.

This page describes how Findby protects customer data and how to report a vulnerability. The machine-readable contact is published at /.well-known/security.txt per RFC 9116. The disclosure terms below are the policy that link refers to.

Reporting a vulnerability

Email security@findby.io with as much detail as you can — what you found, how you found it, and what an attacker could do with it. Include a proof of concept if you have one. We confirm receipt within two business days and aim to triage within five. Vulnerabilities that affect customer data take priority over everything else on the roadmap.

Disclosure window

Please give us ninety days from initial report before public disclosure. We will work to ship a fix faster when the exposure warrants it, and we will tell you when the fix is live. If ninety days passes without a meaningful response from our side, you are free to publish — that is our problem, not yours.

Scope

In scope: findby.io and its subdomains, the production application, the marketing site, the discovery pipeline, and the outbound mail infrastructure. Out of scope: third-party services that publish their own vulnerability programs (Stripe, Postmark, Amazon SES, Cloudflare), staff phishing, physical attacks, and social engineering of our employees or contractors.

Controls

Encryption in transit (TLS 1.2+) and at rest (AES-256). Access scoped to the principle of least privilege, with named accounts and audit logging on every administrative action. Secrets rotated quarterly and on personnel change. Dependencies tracked through automated SCA with a managed patch window. Production data never copied to development environments without redaction.

Incident response

On confirmed incident, affected controllers are notified within seventy-two hours per GDPR and comparable obligations. The notification includes what happened, what data was involved, what we have already done, and what you should do. We do not delay notification for public-relations reasons.

Recognition

We list reporters who help us improve the product on request, with their consent. If you’d prefer to remain anonymous, that’s fine — say so in the report.

What we will not do

We will not pursue legal action against researchers who follow this policy in good faith. We will not require non-disclosure of the vulnerability beyond the disclosure window above. We will not gatekeep recognition by tier.