Responsible Disclosure Policy
Effective Date: April 23, 2026 | Last Updated: April 23, 2026
askFinz, an entity under Paul V | Holdings, takes the security of our platform and the privacy of our users seriously. We welcome and appreciate the security research community's assistance in identifying and responsibly disclosing vulnerabilities. This policy outlines how to report security issues and what you can expect from us.
1. Scope
This policy applies to the following askFinz assets:
- All *.askfinz.ai web properties and APIs.
- The askFinz Browser Extension (Chrome/Chromium).
- The askFinz Desktop Browser application.
- The askFinz mobile applications (where published).
- The askFinz npm packages and SDKs.
The following are out of scope:
- Findings from automated scanners without demonstrated exploitability.
- Denial-of-service (DoS/DDoS) attacks.
- Social engineering, phishing, or physical attacks against our staff or infrastructure.
- Vulnerabilities in third-party services or dependencies unless there is a direct exploitable impact on askFinz.
- Missing security headers with no demonstrated impact.
- Theoretical vulnerabilities without a working proof of concept.
2. How to Report
Please report security vulnerabilities by emailing security@askfinz.ai. Include:
- A clear description of the vulnerability and its potential impact.
- Step-by-step reproduction instructions.
- Affected URLs, endpoints, or assets.
- Proof-of-concept code, screenshots, or video recordings if available.
- Your contact details for follow-up questions.
You may encrypt your report using our PGP key available at askfinz.ai/security.asc.
3. Our Commitments to You
When you report a vulnerability in good faith in accordance with this policy, askFinz commits to:
- Acknowledging receipt of your report within 2 business days.
- Providing regular status updates as we investigate.
- Notifying you when the vulnerability has been remediated.
- Crediting you in our security acknowledgements (if you wish to be named).
- Not pursuing legal action against you for good-faith security research conducted in accordance with this policy.
4. Your Responsibilities
To qualify for good-faith protections under this policy, you must:
- Only test against accounts and systems you own or have explicit authorisation to test.
- Not access, modify, delete, or exfiltrate user data beyond what is strictly necessary to demonstrate the vulnerability.
- Not disclose the vulnerability publicly until askFinz has had at least 90 days to investigate and remediate.
- Not use the vulnerability for personal gain, extortion, or to harm askFinz or its users.
- Comply with all applicable laws throughout your research.
5. Bug Bounty
askFinz operates a private bug bounty programme for qualifying vulnerabilities. Rewards are at askFinz's sole discretion based on severity, impact, and quality of the report. Critical and high-severity findings may be eligible for monetary rewards. To be considered for the bug bounty programme, contact security@askfinz.ai.
6. Response Timeline
| Action | Target Timeline |
|---|---|
| Acknowledgement of report | 2 business days |
| Initial triage and severity assessment | 5 business days |
| Remediation of critical vulnerabilities | Within 7 days of confirmation |
| Remediation of high vulnerabilities | Within 30 days of confirmation |
| Remediation of medium/low vulnerabilities | Within 90 days of confirmation |
7. Contact
- Security reports: security@askfinz.ai
- General legal: legal@askfinz.ai