Finium

Security

Last updated: 25 April 2026

We welcome reports from independent security researchers. This page describes how to reach our security team, what we consider in-scope, the safe-harbour commitment we make to good-faith researchers, the response we aim for, and how we credit reporters.

Reporting a vulnerability

Email security@finium.io. Include a clear description, reproduction steps, the affected URL or endpoint, and any proof-of-concept material. Our machine-readable contact record is published at /.well-known/security.txt per RFC 9116.

In-scope targets

  • The marketing site at finium.io (this site).
  • The Finium web application and its public API endpoints.
  • The Finium iOS and Android apps (current production builds).
  • The supporting infrastructure we directly operate (e.g. our AWS accounts and backing services).

Out of scope

  • Issues in third-party services we depend on (Auth0, AWS, the cookie banner CMP, etc.) — please report those to the relevant vendor first; we're happy to coordinate.
  • Findings that require physical access, social engineering of our staff, or denial-of-service against our production infrastructure.
  • Self-XSS, missing security headers without an exploit path, and other low-impact configuration warnings (we still want to know, but they will not be eligible for credit).
  • Reports generated by automated scanners without a clear, reproducible exploit.

Safe harbour

We will not pursue legal action against researchers who:

  • Make a good-faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our services.
  • Only access accounts you own or accounts you have explicit permission to test (no testing against real customer data).
  • Give us a reasonable time to respond before publishing details.
  • Do not attempt extortion or demand payment as a condition of disclosing the issue.

Response targets

  • Acknowledgement: within 2 business days of receipt.
  • Initial triage: within 5 business days.
  • Remediation timelines: Critical within 7 days, High within 30 days, Medium within 90 days, Low best-effort. These mirror the SLAs in our internal Vulnerability Management Procedure.
  • Status updates: at least every 14 days while a report is open.

Credit

With your permission, we list reporters of valid issues on a public acknowledgements page once the issue has been remediated. We do not currently run a paid bug bounty programme; this may change as the product reaches wider general availability.

Anything else

For non-security questions about how we handle data, see our privacy page. For account or product issues, contact us at contact@finium.io, or send feedback or report an issue from inside the app using Share feedback.