Responsible Disclosure Policy
Effective date: March 21, 2026 · Last updated: March 21, 2026
We take security seriously
FactorCat is an MFA platform — security is the product. If you've found a vulnerability, we want to hear about it. We appreciate the work of security researchers and are committed to working with you to verify and address issues promptly.
How to report
Preferred: If you have a FactorCat account, use the in-app feedback form (Settings → Feedback) and select "Security issue" as the category. This ensures your report is routed directly to the security team with your account context attached.
Fallback: If you don't have an account or prefer email, send your report to security@factorcat.com.
Please include as much detail as possible: steps to reproduce, affected components, potential impact, and any proof-of-concept code or screenshots. The more detail you provide, the faster we can triage and fix the issue.
What's in scope
- FactorCat mobile app (iOS and Android)
- FactorCat browser extension (Chrome, Firefox, Safari)
- FactorCat API (
api.factorcat.com) - FactorCat web dashboard (
app.factorcat.com) - Authentication and authorization flows
- Encryption implementation (Cloud Vault and Locked Vault)
- Push notification delivery and approval flow
- TOTP secret storage and generation
What's out of scope
-
The marketing website (
www.factorcat.com) — unless the issue directly impacts user security or data - Social engineering or phishing attacks against FactorCat employees or users
- Denial-of-service (DoS/DDoS) attacks
- Automated scanning or brute-force attacks against production systems
- Physical security attacks
- Issues in third-party services or dependencies (report these to the relevant vendor)
- Reports based solely on software version or banner information without a demonstrated vulnerability
Response commitments
| Stage | Timeline |
|---|---|
| Acknowledgement | Within 48 hours |
| Initial triage | Within 5 business days |
| Status update | At least every 10 business days while open |
| Fix or mitigation | Severity-dependent — critical issues are prioritized immediately |
Safe harbor
We consider security research conducted in accordance with this policy to be authorized. We will not pursue legal action against researchers who:
- Make a good-faith effort to avoid privacy violations, data destruction, and service disruption
- Only interact with accounts they own or with explicit permission from the account holder
- Do not exploit a vulnerability beyond what is necessary to demonstrate the issue
- Report the vulnerability to us before disclosing it publicly
- Allow reasonable time for us to address the issue before any public disclosure
If legal action is initiated by a third party against you for activities conducted in accordance with this policy, we will take steps to make it known that your actions were authorized.
Recognition
We believe in recognizing the people who help keep FactorCat secure. With your permission, we will credit you by name (or handle) on our security acknowledgements page for valid reports.
We do not currently offer monetary bounties. As FactorCat grows, we intend to formalize a paid bug bounty program. For now, we offer our sincere thanks and public recognition.
Disclosure guidelines
- Do not access, modify, or delete data belonging to other users
- Do not degrade the performance or availability of FactorCat services
- Stop testing and report immediately if you encounter user data during research
- Provide us with a reasonable timeframe to fix the issue before public disclosure (we suggest 90 days)
Contact
Security reports:
security@factorcat.com
General inquiries:
hello@factorcat.com