Legal
Responsible Disclosure & Bug Bounty
Last updated: July 2, 2026
Furlpay takes the security of our platform, our users’ funds, and their personal data seriously. We welcome responsible security research and will not pursue legal action against researchers who follow this policy in good faith.
1. Scope
The following assets and services are in scope for responsible disclosure:
- Web application:
furlpay.comand all subdomains (e.g.,app.furlpay.com,api.furlpay.com). - REST & GraphQL APIs: All versioned API endpoints under
/api/v*, including the x402 agent payment protocol. - SDKs: The official Furlpay JavaScript/TypeScript SDK (
@furlpay/sdk) and the x402 agent SDK (@furlpay/x402). - Mobile applications: Furlpay iOS and Android apps distributed through official app stores.
- Smart contracts: Any Furlpay-deployed contracts on Base, Solana, Arbitrum, or Ethereum mainnet.
Out of scope
- Third-party services (Stripe, Marqeta, Persona, etc.) — report issues directly to those vendors.
- Social engineering or phishing attacks against Furlpay employees or users.
- Denial-of-service (DoS/DDoS) attacks.
- Physical attacks against Furlpay offices or data centers.
- Vulnerabilities in third-party libraries unless they are exploitable within the Furlpay context.
- Automated scanning output without a demonstrated proof-of-concept.
2. Reporting process
If you believe you have found a security vulnerability, please report it responsibly:
- Email: security@furlpay.com
- Encryption: We strongly encourage encrypting your report using our PGP key (see below). Use the subject line
[SECURITY] Brief description. - Required information: Description of the vulnerability, affected asset(s), step-by-step reproduction instructions, proof-of-concept (screenshots, video, or code), and an assessment of the impact.
- Optional: Suggested remediation, CVSS score estimate, and your preferred contact method for follow-up.
3. PGP public key
Encrypt sensitive vulnerability reports using the following PGP key. The full public key block is also available at https://furlpay.com/.well-known/security.txt.
Key ID: 0xA1B2C3D4E5F60789
Fingerprint: 4A1B 2C3D 4E5F 6078 9ABC DEF0 1234 5678 9ABC DEF0
Algo: RSA 4096-bit / ed25519
Expires: 2028-01-014. Response SLA
We commit to the following response timelines for all reports submitted in good faith:
| Milestone | SLA |
|---|---|
| Acknowledgment of receipt | ≤ 48 hours |
| Initial triage & severity assessment | ≤ 7 days |
| Status update (if still under investigation) | Every 14 days |
| Fix deployment (critical / high severity) | ≤ 30 days |
| Fix deployment (medium / low severity) | ≤ 90 days |
5. Rewards
Furlpay offers monetary rewards for qualifying vulnerability reports. Reward amounts are determined by the severity of the vulnerability, the quality of the report, and the potential impact on user funds or data.
| Severity | CVSS Range | Reward (USD) |
|---|---|---|
| Critical | 9.0 – 10.0 | $5,000 – $25,000 |
| High | 7.0 – 8.9 | $2,000 – $5,000 |
| Medium | 4.0 – 6.9 | $500 – $2,000 |
| Low | 0.1 – 3.9 | $100 – $500 |
Rewards are paid in USDC to your Furlpay wallet, or via bank transfer upon request. Duplicate reports receive credit but no monetary reward. The first reporter of a given vulnerability receives the full reward.
6. Safe harbor
Legal safe harbor
To qualify for safe harbor, you must:
- Act in good faith and avoid privacy violations, data destruction, and service disruption.
- Not access, modify, or delete data belonging to other users.
- Stop testing and report the issue promptly once a vulnerability is confirmed.
- Not publicly disclose the vulnerability before Furlpay has had a reasonable opportunity to remediate it (minimum 90 days or until fix is deployed, whichever comes first).
- Test only against accounts you own or have explicit authorization to test.
- Not use automated tools at a volume that degrades service for other users.
7. Exclusions
The following issue types are generally not eligible for rewards:
- Missing security headers that do not lead to a demonstrated exploit.
- Clickjacking on pages with no sensitive actions.
- Self-XSS (cross-site scripting that only affects the researcher’s own session).
- CSRF on logout or other low-impact state changes.
- Email enumeration via login, registration, or password-reset endpoints.
- Content spoofing or text injection without a demonstrated impact.
- Rate-limiting or brute-force issues on non-authentication endpoints.
- Vulnerabilities requiring physical access to the user’s device.
- Theoretical attacks without a working proof-of-concept.
8. Hall of Fame
With your permission, we will publicly acknowledge your contribution on our Security Researchers Hall of Fame page. Researchers may opt out of public recognition if preferred.