Our Commitment to Security

MoneyLead takes security seriously. We appreciate the work of security researchers who help us protect our users and improve our systems. This page outlines our security vulnerability disclosure policy and how to report security issues responsibly.

Scope

In Scope:

  • moneylead.gg and all subdomains
  • All public-facing web applications
  • All API endpoints
  • Authentication and authorization mechanisms
  • Data storage and transmission security

Out of Scope:

  • Social engineering attacks
  • Physical security tests
  • Denial of Service (DoS/DDoS) attacks
  • Third-party services (GitHub, CDN providers, etc.)
  • Spam or social media attacks

How to Report

When reporting a security vulnerability, please include:

  1. Description - Clear explanation of the vulnerability
  2. Steps to Reproduce - Detailed steps to reproduce the issue
  3. Impact - Potential security impact and affected users
  4. Proof of Concept - Any PoC code or screenshots
  5. Environment - Browser, OS, and other relevant details
  6. Your Contact Info - How we can reach you for follow-up

Tip: For sensitive information, please encrypt your email using our PGP key.

Response Timeline

1️⃣ Initial Response - Within 48 hours of report submission
2️⃣ Status Update - Within 7 days with triage results
3️⃣ Resolution Timeline - Depends on severity (communicated after triage)
4️⃣ Disclosure - Coordinated disclosure after fix is deployed

Safe Harbor

We consider security research conducted in accordance with this policy to be:

  • Authorized in accordance with applicable laws
  • Exempt from Terms of Service restrictions that would interfere with research
  • Lawful and helpful to the security of our systems

We will NOT pursue legal action against researchers who:

  • Make a good faith effort to avoid privacy violations and disruptions
  • Only interact with accounts you own or with explicit permission
  • Do not exploit vulnerabilities beyond proof-of-concept
  • Report vulnerabilities promptly
  • Keep vulnerability details confidential until we've addressed them

Encryption

For secure communication about sensitive vulnerabilities, please use our PGP public key to encrypt your messages:

# Import our public key
curl https://moneylead.gg/.well-known/pgp-key.txt | gpg --import

# Encrypt your message
gpg --armor --encrypt --recipient security@moneylead.gg message.txt

# Verify our security.txt signature
gpg --verify https://moneylead.gg/.well-known/security.txt

Our key details:

  • Type: RSA 4096-bit
  • Fingerprint: 8BBF 9CA4 3F44 4F46 40C1 E69B 439F CA18 BA1A 9BCE
  • Expires: 2027-10-14

Acknowledgments

We believe in recognizing security researchers who help us improve our security. Researchers who responsibly disclose vulnerabilities may be:

  • Publicly acknowledged on our website (with permission)
  • Added to our security hall of fame
  • Provided with swag or other recognition

Note: We currently do not offer a bug bounty program, but we deeply appreciate responsible disclosure and will acknowledge your contributions.