Do not report security issues via public GitHub Issues, pull requests, or social media.
Use one of the private channels:
- Email: security@finulio.com
- Canonical security contact (security.txt):
If available, you may also use GitHub Security Advisories for private coordination.
Please include as much of the following as possible:
- Clear description of the issue and impact
- Steps to reproduce (PoC) or a minimal test case
- Affected component(s): repo, domain, endpoint, commit, version
- Any suggested mitigation (optional)
This policy covers FINULIO-controlled assets, including:
- FINULIO-owned GitHub repositories and packages
- FINULIO-controlled domains and services (e.g., finulio.com, assets.finulio.com, finulio.dev)
Out of scope (examples):
- Social engineering of staff/users
- Physical attacks, stolen credentials, or third-party compromise outside FINULIO control
- DoS that disrupts availability
- Content corrections/data disputes (use the corrections process on finulio.com)
We support coordinated disclosure. If we confirm an issue, we will work toward a fix and may publish an advisory once mitigated.
We aim to:
- Acknowledge receipt within 72 hours
- Provide an initial triage update within 5–10 business days
Timelines may vary depending on severity and complexity.
If you:
- Act in good faith,
- Avoid privacy violations, data destruction, and service disruption,
- Do not access or modify data beyond what is necessary to demonstrate the issue,
then FINULIO will not pursue legal action for your report.
Thank you for helping keep FINULIO secure.