Security Vulnerability Disclosure Policy

We take the security of Fanalysis seriously and appreciate the work of security researchers who help us keep our users safe. This policy explains how to report vulnerabilities to us and what you can expect in return.

Scope

This policy covers all assets owned and operated by Fanalysis, including:

  • The fanalysis.com website and all subdomains

  • Our mobile applications on iOS and Android

  • Our public and internal APIs

  • Any other services we operate under the Fanalysis brand

Out of scope: third-party services we use but don't operate (such as our email provider, analytics, or hosting infrastructure dashboards), and our social media accounts. Vulnerabilities in those should be reported to the respective vendors.

How to Report

Please email reports to security@fanalysis.com. To help us investigate quickly, include:

  • A clear description of the vulnerability

  • Steps to reproduce, including any URLs, payloads, or accounts involved

  • The potential impact you've identified

  • Any proof-of-concept code or screenshots (please don't include real user data)

  • Your name or handle if you'd like to be credited

If the issue is sensitive, you're welcome to encrypt your report — contact us first for our PGP key.

What We Ask of You

While investigating, please:

  • Make a good-faith effort to avoid privacy violations, data destruction, and service disruption

  • Only interact with accounts you own or have explicit permission to test

  • Don't access, modify, or download data that isn't yours

  • Give us reasonable time to investigate and address the issue before disclosing it publicly

  • Don't use automated scanners against production systems without checking with us first

What You Can Expect From Us

  • We'll acknowledge your report within 5 business days

  • We'll keep you updated as we investigate and remediate

  • We won't pursue legal action against researchers who follow this policy in good faith

  • We'll credit you publicly once the issue is resolved, if you'd like (just let us know how you'd like to be named)

We don't currently run a paid bounty program, but we're genuinely grateful for every report - a heartfelt thank-you and recognition is what we can offer right now.

Out-of-Scope Issues

We generally don't consider the following to be security vulnerabilities:

  • Missing security headers without a demonstrated impact

  • Reports from automated scanners without a working proof-of-concept

  • Social engineering of our staff or users

  • Physical attacks against our offices or infrastructure

  • Denial-of-service attacks or volumetric testing

  • Self-XSS or issues requiring an already-compromised device

  • Best-practice suggestions without an exploitable issue

Contact

security@fanalysis.com

Thank you for helping keep Fanalysis and our users safe.