Security

Responsible Disclosure

Last updated · March 2026

We build security for a living, and we welcome the security community in helping us keep HacFy safe. This policy explains how to report vulnerabilities you discover in systems operated by HacFy.

01

Scope

The following assets are in scope:

  • hacfy.com and its public subdomains
  • Public web applications hosted on *.hacfy.com
  • Official HacFy mobile applications, where published

Third-party services, client engagement infrastructure, and any system not owned by HacFy are strictly out of scope.

02

How to report

Send a detailed report to security@hacfy.com. Please include:

  • A clear description of the issue and its impact.
  • Steps to reproduce, proof-of-concept payloads, and screenshots or logs.
  • Any suggested remediation.

Encrypt sensitive reports using our published PGP key on request.

03

Rules of engagement

  • Do not access, modify, or destroy data that does not belong to you.
  • Do not perform testing that degrades service (DoS, spam, resource abuse).
  • Do not use automated scanners against production without written permission.
  • Stop testing and report immediately if you access sensitive data (PII, credentials, internal keys).
  • Keep the vulnerability confidential until we confirm it is resolved.
04

Our commitments

  • Acknowledge your report within 3 business days.
  • Provide a triage decision within 10 business days.
  • Keep you updated on remediation progress.
  • Credit researchers, with consent, in a public hall of fame.
05

Safe harbor

We consider security research and vulnerability disclosure activities conducted in good faith and in compliance with this policy to be authorized. We will not initiate legal action against researchers who follow it.

06

Out of scope issues

  • Missing best-practice HTTP security headers with no demonstrated impact.
  • Reports from automated scanners without validated impact.
  • Social engineering, phishing, or physical attacks against HacFy staff.
  • Denial of service and volumetric attacks.