Cyblitrades welcomes responsible security research. If you discover a vulnerability, please report it to us privately before public disclosure. We commit to responding within 3 business days and will not pursue legal action against researchers acting in good faith.
1. Our Commitment
- Acknowledge receipt of your report within 3 business days
- Provide a preliminary assessment within 10 business days
- Keep you informed as we investigate and remediate
- Not pursue legal action against researchers who act in good faith
- Publicly acknowledge your contribution (with your consent) upon remediation
2. Scope
In Scope
- cyblitrades.com and admin.cyblitrades.com
- Authentication and authorization vulnerabilities
- Injection vulnerabilities (SQL, XSS, command injection)
- Sensitive data exposure or unauthorized data access
- Broken access controls and insecure direct object references (IDOR)
- Server-side request forgery (SSRF)
Out of Scope
- Denial of service attacks
- Social engineering of employees or clients
- Automated scanning that creates excessive load
- Vulnerabilities in third-party services (Clerk, Stripe, Supabase, Netlify)
- Self-XSS or issues requiring highly unlikely user interaction
3. How to Report
Send your report to: security@cyblitrades.com
Please include:
- A clear description of the vulnerability and potential impact
- The affected URL, endpoint, or component
- Step-by-step reproduction instructions
- Proof-of-concept or screenshots (where applicable)
- Your assessment of severity
4. Responsible Disclosure Guidelines
- Act in good faith โ do not harm Cyblitrades or its clients
- Only test against accounts you own or have permission to test
- Do not access, modify, or exfiltrate data beyond what is needed to demonstrate the issue
- Do not publicly disclose before we have had a reasonable opportunity to remediate
- Do not use vulnerabilities for personal gain or extortion
5. Severity and Response Timelines
- Critical: Acknowledgment within 24 hours; patch target within 7 days
- High: Acknowledgment within 3 business days; patch target within 30 days
- Medium: Acknowledgment within 5 business days; patch target within 60 days
- Low: Acknowledgment within 10 business days; patch target within 90 days
6. Safe Harbor
Cyblitrades will not initiate legal action against researchers who comply with this policy, act in good faith, and report findings to us before public disclosure. We consider research under this policy to be authorized testing.
7. Recognition
Researchers who responsibly disclose qualifying vulnerabilities may be acknowledged on our security acknowledgments page (with consent) and receive a letter of recognition. We are working toward a formal bug bounty program.