Responsible Disclosure
Responsible Disclosure
Section titled “Responsible Disclosure”If you discover a security vulnerability in Xferity, please report it responsibly before public disclosure.
How to report
Section titled “How to report”Send vulnerability reports to the Xferity security team via the contact details published on the main Xferity website or project repository.
Include in your report:
- description of the vulnerability
- steps to reproduce
- affected versions or components
- any proof-of-concept code or logs (sanitized where possible)
What to expect
Section titled “What to expect”- acknowledgement within 5 business days
- triage and severity assessment
- coordination on disclosure timing if a fix is required
- credit in the release notes when appropriate
In scope for responsible disclosure:
- authentication and session vulnerabilities
- secrets handling failures
- trust enforcement bypasses
- audit log tampering vulnerabilities
- injection or deserialization issues
Out of scope:
- social engineering
- physical access attacks
- third-party dependencies with known upstream CVEs already tracked publicly
What we ask
Section titled “What we ask”Please do not publicly disclose vulnerabilities until a fix has been released and a reasonable disclosure window has passed.
Do not exploit vulnerabilities against production systems or user data.