Legal

Responsible Disclosure & Bug Bounty

Last updated: July 2, 2026

Furlpay takes the security of our platform, our users’ funds, and their personal data seriously. We welcome responsible security research and will not pursue legal action against researchers who follow this policy in good faith.

1. Scope

The following assets and services are in scope for responsible disclosure:

  • Web application: furlpay.com and all subdomains (e.g., app.furlpay.com, api.furlpay.com).
  • REST & GraphQL APIs: All versioned API endpoints under /api/v*, including the x402 agent payment protocol.
  • SDKs: The official Furlpay JavaScript/TypeScript SDK (@furlpay/sdk) and the x402 agent SDK (@furlpay/x402).
  • Mobile applications: Furlpay iOS and Android apps distributed through official app stores.
  • Smart contracts: Any Furlpay-deployed contracts on Base, Solana, Arbitrum, or Ethereum mainnet.

Out of scope

  • Third-party services (Stripe, Marqeta, Persona, etc.) — report issues directly to those vendors.
  • Social engineering or phishing attacks against Furlpay employees or users.
  • Denial-of-service (DoS/DDoS) attacks.
  • Physical attacks against Furlpay offices or data centers.
  • Vulnerabilities in third-party libraries unless they are exploitable within the Furlpay context.
  • Automated scanning output without a demonstrated proof-of-concept.

2. Reporting process

If you believe you have found a security vulnerability, please report it responsibly:

  • Email: security@furlpay.com
  • Encryption: We strongly encourage encrypting your report using our PGP key (see below). Use the subject line [SECURITY] Brief description.
  • Required information: Description of the vulnerability, affected asset(s), step-by-step reproduction instructions, proof-of-concept (screenshots, video, or code), and an assessment of the impact.
  • Optional: Suggested remediation, CVSS score estimate, and your preferred contact method for follow-up.

3. PGP public key

Encrypt sensitive vulnerability reports using the following PGP key. The full public key block is also available at https://furlpay.com/.well-known/security.txt.

PGP Fingerprint
Key ID: 0xA1B2C3D4E5F60789
Fingerprint: 4A1B 2C3D 4E5F 6078 9ABC DEF0 1234 5678 9ABC DEF0
Algo: RSA 4096-bit / ed25519
Expires: 2028-01-01

4. Response SLA

We commit to the following response timelines for all reports submitted in good faith:

MilestoneSLA
Acknowledgment of receipt≤ 48 hours
Initial triage & severity assessment≤ 7 days
Status update (if still under investigation)Every 14 days
Fix deployment (critical / high severity)≤ 30 days
Fix deployment (medium / low severity)≤ 90 days

5. Rewards

Furlpay offers monetary rewards for qualifying vulnerability reports. Reward amounts are determined by the severity of the vulnerability, the quality of the report, and the potential impact on user funds or data.

SeverityCVSS RangeReward (USD)
Critical9.0 – 10.0$5,000 – $25,000
High7.0 – 8.9$2,000 – $5,000
Medium4.0 – 6.9$500 – $2,000
Low0.1 – 3.9$100 – $500

Rewards are paid in USDC to your Furlpay wallet, or via bank transfer upon request. Duplicate reports receive credit but no monetary reward. The first reporter of a given vulnerability receives the full reward.

6. Safe harbor

Legal safe harbor

Furlpay will not initiate legal proceedings against security researchers who comply with this policy. Specifically, we will not pursue civil or criminal action, or support prosecution by law enforcement, for security research conducted in good faith under these guidelines.

To qualify for safe harbor, you must:

  • Act in good faith and avoid privacy violations, data destruction, and service disruption.
  • Not access, modify, or delete data belonging to other users.
  • Stop testing and report the issue promptly once a vulnerability is confirmed.
  • Not publicly disclose the vulnerability before Furlpay has had a reasonable opportunity to remediate it (minimum 90 days or until fix is deployed, whichever comes first).
  • Test only against accounts you own or have explicit authorization to test.
  • Not use automated tools at a volume that degrades service for other users.

7. Exclusions

The following issue types are generally not eligible for rewards:

  • Missing security headers that do not lead to a demonstrated exploit.
  • Clickjacking on pages with no sensitive actions.
  • Self-XSS (cross-site scripting that only affects the researcher’s own session).
  • CSRF on logout or other low-impact state changes.
  • Email enumeration via login, registration, or password-reset endpoints.
  • Content spoofing or text injection without a demonstrated impact.
  • Rate-limiting or brute-force issues on non-authentication endpoints.
  • Vulnerabilities requiring physical access to the user’s device.
  • Theoretical attacks without a working proof-of-concept.

8. Hall of Fame

With your permission, we will publicly acknowledge your contribution on our Security Researchers Hall of Fame page. Researchers may opt out of public recognition if preferred.