How to report an issue
Send reports to security@cyberfurl.com. Include the affected route, asset, proof of concept, impact summary, and any safeguards needed to reproduce the issue safely in a controlled environment.
Security policy
Responsible Disclosure & CyberFurl Security Policy
CyberFurl accepts good-faith vulnerability reports and uses a coordinated disclosure process to triage, remediate, and recognize valid findings. Last updated April 24, 2026.
3 business days
Initial response target
CyberFurl aims to acknowledge inbound reports quickly and confirm triage status.
Good-faith only
Safe-harbor expectation
Testing must avoid service disruption, privacy harm, and unauthorized customer access.
/.well-known
Public contact path
The canonical security.txt file mirrors the reporting address and disclosure links.
April 24, 2026
Policy date
Use this date when sharing the policy with legal, procurement, or security teams.
Report a finding
How to Report a Vulnerability
Send reproducible details to security@cyberfurl.com with affected routes, impact summary, and safe reproduction steps.
Scope and recognition
Scope, Safe-Harbor, and Recognition
What testing is in-scope, safe-harbor expectations, and how validated reports may be acknowledged publicly.
Disclosure process
How CyberFurl handles researcher reports.
The goal is clarity for both the reporter and the engineering team: where to report, what is acceptable to test, and what kind of collaboration to expect once a report is submitted.
What is in scope
CyberFurl websites, authenticated product surfaces, public APIs, account flows, and platform-managed scan or monitoring workflows are in scope when tested against assets you are authorized to assess.
What is out of scope
Social engineering, physical access attempts, denial-of-service activity, spam, attacks against third-party infrastructure, and testing customer assets without permission are out of scope.
Coordinated disclosure
CyberFurl asks researchers to keep reports private while the issue is triaged and remediated. Our target is an initial response within 3 business days and status updates throughout remediation.
Safe harbor
Rules that keep testing constructive.
These guardrails are meant to let researchers help without creating avoidable risk for customers or the service.
What CyberFurl asks from reporters
Reports should be actionable, reproducible, and scoped to assets the reporter is permitted to test.
- Act in good faith and avoid privacy violations, data destruction, or service disruption.
- Test only against accounts, domains, or systems you own or are explicitly authorized to assess.
- Stop immediately if you encounter customer data and report the exposure without copying or sharing it.
- Do not publicly disclose findings until CyberFurl confirms remediation or agrees on a disclosure timeline.
What to include in a report
A strong report reduces triage time and avoids follow-up loops.
- Affected URL, endpoint, or product area
- Step-by-step reproduction notes
- Observed impact and realistic abuse scenario
- Any account, tenant, or domain prerequisites
- Suggested mitigations if you have them
Recognition
Validated reports can be acknowledged publicly.
CyberFurl maintains a simple researcher recognition page for reporters who want public credit after a coordinated disclosure closes.
Recognition path
After a report is validated and remediated, CyberFurl can list the researcher or team on the hall-of-fame page if they opt in.
Private handling first
Recognition comes after remediation. The security inbox is the first stop, not a public issue tracker or social feed.
No bounty promise here
This page documents disclosure and recognition. Any future bug bounty terms should be published separately with explicit scope and payout rules.
Next step
Need to submit a report now?
Use the security inbox for vulnerability reports, or open the public security.txt file if you need the canonical policy reference during review.