Skip to content
PODFY

Security

Responsible Disclosure

We welcome responsible security research on podfy.app and podfy.net. This page explains how to report vulnerabilities, what is in scope, and what you can expect from us in return.

Last updated: 2025-12-10
Scope: podfy.app (application) and podfy.net (website & forms)
Security contact: [email protected]

Chapters

Use this as the public reference for your disclosure programme. Detailed policy also lives in SECURITY.md and security.txt.

1. Overview

Purpose & systems in scope

This Responsible Disclosure policy is intended for security researchers, customers and partners who want to report vulnerabilities in PODFY systems in a safe and coordinated way.

Systems covered:

  • podfy.app – operational application, APIs and delivery portals
  • podfy.net – marketing website, documentation and legal pages

Issues in third-party services we use (e.g. infrastructure providers, email providers) may also be reported to us. Where appropriate, we will coordinate with those vendors.

2. Reporting a vulnerability

What to send us

Please email your report to [email protected]. If the report contains sensitive details, you can explicitly request an encrypted channel and we will respond with options.

Your report should ideally include:

  • Affected host(s), URL(s), endpoint(s) and parameters.
  • Step-by-step reproduction instructions, including any required test account details.
  • Expected behaviour vs. actual behaviour.
  • Impact assessment (what could an attacker do).
  • Any suggested CVSS v3.1 vector, if you are comfortable providing one.

No production data required

Please use test accounts and non-production data whenever possible. If you accidentally access personal data or customer data, stop, do not copy or share it, and include that fact in your report.

3. Rules of engagement

Good-faith testing guidelines

To protect our customers and infrastructure, we ask researchers to follow these rules:

  • Do not intentionally access, modify or exfiltrate data that does not belong to you.
  • Do not run denial-of-service attacks, large-scale automated scans or load tests against production.
  • Do not use social engineering, phishing, or physical security testing.
  • Do not attempt to compromise other customers’ accounts or drivers’ mailboxes.
  • Stop immediately if you encounter real personal data and report the issue.

As long as you act in good faith, respect these boundaries and give us reasonable time to remediate, we consider your research to fall under this policy’s safe-harbor statement.

4. Scope

In-scope and out-of-scope findings

In-scope examples:

  • Authentication and session issues (for example, broken auth, token leakage, session fixation).
  • Access control and tenant isolation issues (IDOR, horizontal/vertical privilege escalation).
  • Injection vulnerabilities (SQL/NoSQL, command, template injection), stored or reflected XSS with real impact.
  • Misuse of signed URLs or portal tokens that allows unauthorised access to POD documents.
  • Server-side request forgery (SSRF) or unsafe file upload handling with security impact.

Out-of-scope examples:

  • Purely theoretical vulnerabilities without a clear impact path.
  • UI/UX issues, typos, or cosmetic content bugs.
  • Rate-limiting or brute-force reports without a realistic exploit scenario.
  • Use of automated tools that report generic issues without reproduction steps.
  • Denial-of-service or performance testing.

For a more detailed classification and safe-harbor wording, see SECURITY.md.

5. Timelines

Acknowledgement, triage & fixes

We try to respond to good-faith security reports quickly and predictably:

  • Acknowledgement: within 3 business days.
  • Initial triage / classification: within 7 business days.

Target remediation timelines (guideline):

  • Critical issues: target mitigation or fix within 7 days.
  • High issues: target fix within 30 days.
  • Medium issues: target fix within 90 days.
  • Low issues: target fix within 180 days.

Actual timelines may vary depending on complexity, dependencies and risk. We aim to keep you updated on progress for valid reports.

We prefer coordinated disclosure: details are published only after a fix or effective mitigation is in place or, failing that, after a mutually agreed timeline.

6. Safe harbor & credit

Legal stance for good-faith research

Safe harbor.

If you comply with this policy and act in good faith, PODFY will not initiate legal action against you solely for your security research. This commitment does not extend to:

  • activities that are clearly malicious or fraudulent; or
  • situations where your research violates the rights of our customers, partners or third parties.

This statement does not waive rights of affected users or regulators, but reflects how PODFY intends to respond to good-faith reports.

Credit.

If you would like recognition after a valid issue has been remediated, let us know how to credit you (name, handle or “anonymous”). We do not operate a formal bounty programme at this time, but we are happy to acknowledge meaningful contributions.

Where this policy lives

This page is the human-readable web version of our disclosure process. Technical details and extended wording are mirrored in: