Responsible Disclosure Policy
We welcome reports from security researchers and take them seriously. This policy explains how to report a vulnerability in LinkFern Cloud (linkfern.cloud) and what you can expect from us.
Reporting
Email hello@linkfern.cloud with a clear description and, ideally, steps to reproduce or a proof of concept. Please don't disclose the issue publicly until we've had a chance to fix it.
What we ask
- Give us a reasonable time to investigate and fix before any public disclosure.
- Only test against your own account and pages. Never access, modify or delete other people's data.
- Don't run denial-of-service attacks, spam, or social-engineering against our staff or users.
- Avoid privacy violations; stop as soon as you've demonstrated an issue, and don't hoard data you encounter.
Safe harbour
If you make a good-faith effort to follow this policy, we will not pursue or support legal action against you for your research, and we'll treat your report as authorised access. If in doubt about whether something is in scope, ask us first.
Scope
In scope: the control plane (accounts, editor, billing, routing) and the pages it hosts. The page engine itself is the separate open-source LinkFern project; report engine bugs there. Out of scope: findings that require physical access, compromised devices, or third-party services (Stripe, our email/DNS/hosting providers); best-practice suggestions without a concrete impact; and volumetric/DoS testing.
Our commitment
We'll acknowledge your report within a few business days, keep you updated on our progress, and credit you if you'd like once a fix ships. We don't currently run a paid bug-bounty program.
Reporting abuse (not security)
To report a page that breaks our rules (spam, phishing, illegal content), use the report form instead.