# Vulnerability Disclosure Policy Market Fortress takes the security of its platform seriously. If you believe you have discovered a vulnerability in the Market Fortress application, API, or infrastructure, please report it to us promptly. We are committed to working with security researchers in good faith. --- ## How to Report Send a report to: **security@marketfortress.app** Please include: - A clear description of the vulnerability and its potential impact. - The affected URL, endpoint, or component. - Step-by-step reproduction instructions, including any payloads, request/response samples, or proof-of-concept code (do not exploit beyond what is necessary to demonstrate the vulnerability). - Your name or handle if you wish to be credited. --- ## Response SLA | Milestone | Target | |---|---| | Acknowledgment | 2 business days | | Triage and severity assignment | 7 calendar days | | Remediation timeline communicated | 14 calendar days | | Public disclosure coordination | Negotiated with reporter | We aim to resolve critical vulnerabilities within 30 days. Complex issues requiring architectural changes may take longer. We will keep you informed of progress. --- ## Safe Harbor Market Fortress will not pursue legal action against researchers who: - Comply with this policy and act in good faith. - Limit testing to their own accounts or test environments. Do not access, modify, or exfiltrate user data belonging to other accounts. - Do not degrade service availability (no denial-of-service testing). - Disclose findings to Market Fortress before public disclosure and allow reasonable time to remediate. - Do not engage in social engineering, physical access attempts, or attacks against Market Fortress personnel. If you are uncertain whether a specific testing activity is within scope, ask us before proceeding. --- ## Out of Scope The following are excluded from this policy: - Denial-of-service attacks (application layer, network, or resource exhaustion). - Social engineering of Market Fortress employees, contractors, or customers. - Physical security attacks. - Attacks requiring physical access to a user device. - Findings from automated scanning tools without manual validation of exploitability. - Reports of software versions with no demonstrated impact. - Missing security headers without proof of exploitability in the context of this application. - Clickjacking on pages that do not perform sensitive actions. - Self-XSS (cross-site scripting exploitable only by the victim themselves). - Rate limiting on non-sensitive endpoints. - Email spoofing or DMARC/SPF/DKIM configuration issues unrelated to our outbound email infrastructure. - Issues requiring a compromised user device, MitM certificate installation, or root access. - Third-party services and infrastructure not directly operated by Market Fortress. --- ## Disclosure Policy Market Fortress follows coordinated disclosure. We ask that researchers: 1. Notify us before publishing or sharing findings with third parties. 2. Allow a minimum of 90 days from our acknowledgment before public disclosure, unless we agree to a shorter timeline. 3. Coordinate on the content of any public disclosure to avoid exposing users to unpatched risk. We will credit researchers by name or handle in our security advisories unless you prefer to remain anonymous. --- ## Scope In scope: - `https://www.marketfortress.app` and all subdomains. - The Market Fortress REST API (v1). - The Market Fortress TypeScript SDK (`@marketfortress/sdk`). - Authentication flows (login, registration, password reset, MFA). - Data isolation controls (row-level security, tenant boundaries). Out of scope: - Third-party services (Supabase, Vercel, Stripe, Resend, Google Cloud, DocuSign, Plaid). Report issues with those services directly to their respective security teams. --- ## Contact security@marketfortress.app