Incident Response & Disclosure
We take security vulnerabilities seriously. Learn how to report issues and how we respond when incidents occur.
Report a Vulnerability
If you believe you've found a security vulnerability in FundlyHub, please report it responsibly. We appreciate your help in keeping our platform and users safe.
What to include in your report:
Description of the vulnerability and its potential impact
Steps to reproduce (or proof of concept)
Affected URL, endpoint, or component
Your contact information for follow-up
Expected Response Timeline
| Action | Timeline |
|---|---|
Acknowledgment of report | Within 24 hours |
Initial assessment & triage | Within 72 hours |
Status update to reporter | Within 7 days |
Resolution (depends on severity) | Critical: ≤7 days, High: ≤30 days |
Post-fix notification to reporter | Upon resolution |
Acknowledgment of report
Within 24 hours
Initial assessment & triage
Within 72 hours
Status update to reporter
Within 7 days
Resolution (depends on severity)
Critical: ≤7 days, High: ≤30 days
Post-fix notification to reporter
Upon resolution
Severity Levels
| Severity | Definition | Examples |
|---|---|---|
P1 — Critical | Active data breach or total service outage | Database exposure, credential compromise |
P2 — High | Partial degradation or unauthorized access risk | Auth bypass, API abuse, failed backup |
P3 — Medium | Security misconfiguration or vulnerability | Open port, unpatched critical CVE |
P4 — Low | Informational events, failed attacks | Port scan, phishing attempt |
Active data breach or total service outage
Database exposure, credential compromisePartial degradation or unauthorized access risk
Auth bypass, API abuse, failed backupSecurity misconfiguration or vulnerability
Open port, unpatched critical CVEInformational events, failed attacks
Port scan, phishing attemptOur Incident Response Process
Detection & Triage
Automated monitoring (CloudWatch, Sentry, Auth Risk Engine) detects anomalies. The incident is classified by severity and an incident commander assigned.
Containment
Affected systems are isolated — credentials revoked, IPs blocked, services taken offline as needed. Evidence is preserved before remediation.
Eradication & Recovery
Root cause is removed (patch, credential rotation, config fix). Systems restored from clean backups if necessary, then validated via health checks.
Notification
Affected users notified within 72 hours if personal data is compromised. Relevant authorities contacted per applicable regulations.
Post-Incident Review
Post-mortem conducted within 5 business days. Root cause, timeline, and lessons learned documented. Controls and runbooks updated.