Legal

Vulnerability
Disclosure

Last Updated: July 13, 2026

1. Introduction

Profitabul, LLC ("we," "our," or "us") operates a real-money trading analytics platform. We take the security of our users, their broker credentials, and their data seriously, and we welcome reports from security researchers who help us keep the Service safe.

This Vulnerability Disclosure Policy ("Policy") explains how to report a security vulnerability to us, what is in and out of scope, what you can expect from us in return, and the protections we extend to good-faith researchers. It complements the machine-readable security.txt file published under RFC 9116.

2. How to Report

Send security reports to the address below. Please do not report security issues through public channels (social media, Discord, community forums) or through general support, as that can expose an unpatched issue to others.

Report a vulnerability:

Email: [email protected]

Please include enough detail for us to reproduce and validate the issue: affected URL, endpoint, or component; a description of the vulnerability and its impact; step-by-step reproduction; and any proof-of-concept, request/response captures, or screenshots. If you need to share sensitive details, say so in your first message and we will arrange a secure channel.

3. Scope

The following Profitabul-operated surfaces are in scope for this Policy:

In scope

  • The Profitabul web application (profitabul.com and its authenticated dashboard)
  • Public and authenticated Profitabul APIs, including the MCP endpoint
  • Our market-data relays and backend services that we operate

The following are explicitly out of scope. Testing against them is not authorized under this Policy:

Out of scope

  • Denial-of-service (DoS/DDoS), volumetric, or load/stress testing of any kind
  • Social engineering or phishing of our staff, users, contractors, or vendors
  • Physical attacks against our offices, staff, or infrastructure
  • Findings against third-party services we rely on (for example our hosting, payment, broker, email, or authentication providers). Please report those to the relevant provider.
  • Automated scanner output without a demonstrated, exploitable impact; missing best-practice headers or configuration hardening reported with no realistic attack scenario

4. Rules of Engagement

To keep your testing in good faith and within this Policy, you agree to:

  • Make a good-faith effort to avoid privacy violations, data destruction, and interruption or degradation of the Service
  • Only interact with accounts you own or have explicit permission from the account holder to test — never access, modify, or exfiltrate another user's data
  • Stop testing and notify us immediately if you encounter any user data (personal information, broker credentials, or trading data), and do not download, retain, or share it
  • Use the minimum interaction necessary to demonstrate a vulnerability; do not use a finding to pivot deeper than needed to prove impact
  • Give us a reasonable time to investigate and remediate before disclosing an issue publicly, and coordinate any public disclosure with us

5. Safe Harbor

Good-faith research is authorized

When you make a good-faith effort to comply with this Policy during your security research, we will consider that research to be authorized, we will work with you to understand and resolve the issue promptly, and we will not recommend or pursue legal action against you related to your research.

If legal action is initiated by a third party against you for activity that was conducted in accordance with this Policy, we will make it known that your actions were authorized under this Policy. This safe harbor applies only to your good-faith, in-scope security research; it does not waive our rights with respect to activity that is out of scope, that violates the Rules of Engagement, or that is otherwise unlawful.

Nothing in this Policy modifies or supersedes our Terms of Service or Acceptable Use Policy for any activity that falls outside good-faith security research authorized here. If in doubt about whether specific testing is authorized, contact us at [email protected] before you proceed.

6. What to Expect From Us

When you submit a report in accordance with this Policy, we aim to:

  • Acknowledge receipt of your report within 72 hours
  • Provide an initial assessment and validate the issue as quickly as we reasonably can
  • Keep you informed of our remediation progress on validated issues
  • Let you know when the issue has been resolved

These are targets, not contractual guarantees. Timelines vary with the severity and complexity of an issue.

7. Rewards

We do not currently offer monetary rewards or a paid bug-bounty program. Reports are handled on a coordinated-disclosure basis. We are grateful for responsible reports and, with your permission, are happy to acknowledge your contribution once an issue is resolved. If we introduce a bounty program in the future, we will update this page.

8. Changes to This Policy

We may update this Policy from time to time to reflect changes in our practices, technology, or legal requirements. We will post the updated Policy on this page and update the "Last Updated" date above.

9. Related Policies

This Policy should be read in conjunction with: