Passary Logo
Passary

Responsible Disclosure Policy

Reporting security vulnerabilities in Passary

Security is Our Priority

We take the security of Passary very seriously. If you've discovered a security vulnerability, we appreciate your help in disclosing it to us responsibly. This policy outlines how to report vulnerabilities and what to expect from us.

How to Report a Vulnerability

Security Contact

Email us at:

security@passary.com

Please use "SECURITY VULNERABILITY" in the subject line

PGP Encryption (Optional)

For highly sensitive reports, you may encrypt your email using our PGP key:

PGP Key Fingerprint:

Coming soon

What to Include in Your Report

To help us understand and address the vulnerability quickly, please include:

1

Vulnerability Description

Clear description of the vulnerability and its potential impact

2

Steps to Reproduce

Detailed step-by-step instructions to reproduce the issue

3

Proof of Concept

Code, screenshots, or videos demonstrating the vulnerability

4

Affected Components

Which parts of Passary are affected (browser version, OS, etc.)

5

Your Contact Information

Email and optionally how you'd like to be credited

Our Commitment to You

Timely Response

We will acknowledge your report within 24-48 hours and provide an initial assessment within 5 business days.

Open Communication

We'll keep you informed throughout the investigation, remediation, and disclosure process.

No Legal Action

We will not pursue legal action against researchers who comply with this policy and act in good faith.

Recognition

With your permission, we'll credit you in our security advisories and (planned) security hall of fame.

Scope

In Scope

  • Passary web application (passary.com)
  • Cryptographic implementation vulnerabilities
  • Client-side security issues (XSS, CSRF, etc.)
  • Authentication and access control flaws
  • Data leakage or exposure vulnerabilities
  • Injection vulnerabilities

Out of Scope

  • Social engineering attacks against Passary team or users
  • Physical attacks on our infrastructure
  • Denial of Service (DoS/DDoS) attacks
  • Spam or social media account compromise
  • Issues already known and documented
  • Browser or device vulnerabilities not specific to Passary

Important Notice Regarding Infrastructure Attacks

Please note that physical attacks and DoS/DDoS attempts would target our hosting provider's infrastructure, not Passary directly. Such actions constitute attacks against third-party services and will not be tolerated under any circumstances. These activities may result in legal action by the affected hosting provider and are explicitly excluded from this responsible disclosure policy.

Responsible Disclosure Guidelines

To protect Passary users, we ask that you:

Give us reasonable time to fix the vulnerability before public disclosure (typically 90 days)

Do not exploit the vulnerability beyond what's necessary to demonstrate it

Do not access or modify user data beyond your own test accounts

Do not publicly disclose the vulnerability until we've had a chance to address it

Act in good faith to avoid privacy violations, data destruction, or service interruption

Vulnerability Response Process

1

Acknowledgment (24-48 hours)

We confirm receipt of your report and assign a tracking number.

2

Initial Assessment (5 business days)

We evaluate severity, scope, and impact of the vulnerability.

3

Remediation (Variable)

We develop, test, and deploy a fix. Timeline depends on severity and complexity.

4

Disclosure

After fixing the issue, we coordinate with you on public disclosure timing and details.

Bug Bounty Program

Program Currently Not Active

At this time, we do not have an active bug bounty program and are unable to offer monetary compensation for vulnerability reports. As a growing security-focused platform, we're dedicating our resources to building and strengthening Passary's core infrastructure.

Your Contribution Still Matters

While we cannot offer financial rewards at this stage, we deeply value responsible security research. Valid vulnerability reports will be acknowledged with public recognition (with your permission) in our security advisories and planned hall of fame. Your research directly contributes to protecting our users' sensitive data.

Future Plans: We aim to establish a formal bug bounty program as our platform grows. Security researchers who contribute now will be among the first considered when we launch monetary rewards.

Thank You

We deeply appreciate the security research community's efforts to keep Passary and its users safe. Your responsible disclosure helps us maintain the trust our users place in us.

Questions about this policy? Email us at security@passary.com