To report a vulnerability: Email [email protected] with the subject line "Vulnerability Report." We will acknowledge your report within 3 business days.
1. Our Commitment
Cash Flow Optimizer, operated by RealtoResource, LLC dba Solidify Solutions, is committed to building a secure platform. Security researchers and users who discover potential vulnerabilities play a valuable role in protecting our customers and the integrity of our Services. We are committed to:
- acknowledging your report promptly;
- working collaboratively with you to understand and validate the issue;
- addressing confirmed vulnerabilities in a timely manner; and
- keeping you informed about our progress, where possible.
We ask that you work with us in good faith, under the responsible-disclosure framework set out in this policy.
2. Who This Policy Covers
This policy applies to any individual, security researcher, or organization that discovers and responsibly discloses a potential security vulnerability in the systems listed in Section 3. It does not create a formal bug-bounty program or any obligation to pay monetary rewards. We may choose to express our gratitude for valid reports through public acknowledgment (with your permission) or other recognition.
3. In-Scope Systems
The following systems and assets are in-scope for vulnerability reporting:
- cfoptimizer.com — the main website and marketing pages
- app.cfoptimizer.com (when live) — the primary application interface
- Any APIs exposed by Cash Flow Optimizer (documented or discoverable via the main application)
4. Out-of-Scope Systems
The following systems are not in scope for this policy:
- Third-party services, platforms, and providers we use (e.g., Vercel, Supabase, Stripe, Plaid, Intuit, Unipile, Anthropic, Google, OpenAI) — please report vulnerabilities in those systems to the relevant provider directly.
- Systems not owned or operated by RealtoResource, LLC / Solidify Solutions.
- Physical security of our offices or infrastructure.
5. In-Scope Vulnerability Types
We are particularly interested in reports involving:
- Cross-Site Scripting (XSS)
- Cross-Site Request Forgery (CSRF)
- SQL Injection or other injection vulnerabilities
- Authentication and authorization bypasses (including broken access control)
- Insecure direct object references (IDOR) or tenant-data isolation failures
- Server-Side Request Forgery (SSRF)
- Sensitive data exposure (API keys, credentials, PII leakage in responses)
- Security misconfigurations affecting customer data
- Remote code execution (RCE)
- Business logic vulnerabilities with material security impact
6. Out-of-Scope Issues
The following are generally not in scope and will not be acted on as security vulnerabilities (though we appreciate the effort):
- Findings from automated scanners with no demonstrated security impact
- Missing security headers that do not result in demonstrated exploitation (e.g., SPF/DKIM without evidence of phishing)
- Clickjacking on pages without sensitive functionality
- Email or username enumeration without demonstrated impact
- Rate limiting or brute-force issues on low-sensitivity endpoints
- Theoretical vulnerabilities without a working proof of concept
- Denial of service attacks or stress testing
- Social engineering of employees or customers
- Physical attacks against our offices or hardware
- Reports of vulnerabilities in third-party dependencies that are publicly known and already tracked upstream
- Findings that require an attacker to have already compromised the victim's device or browser
7. Safe Harbor
We will not initiate legal action against researchers who discover and report security vulnerabilities in good faith, in accordance with this policy, provided they:
- do not access, modify, or exfiltrate data beyond the minimum necessary to demonstrate the existence of the vulnerability;
- do not perform actions that could harm the Services or other users, including denial-of-service attacks, spam, or destructive testing;
- do not disclose the vulnerability publicly before we have had a reasonable opportunity to address it (see coordinated disclosure, Section 10);
- do not use the vulnerability for any purpose other than demonstrating it to us; and
- immediately stop testing and contact us if they encounter any customer personal data during testing.
Safe harbor applies only to activities that comply with this policy. Activities outside this policy may expose the researcher to legal liability, and we reserve all rights to respond appropriately to activities that we determine are harmful, malicious, or undertaken in bad faith.
8. How to Report
Email your report to: [email protected]
Use the subject line: "Vulnerability Report"
If you wish to encrypt your report, please request our PGP public key by emailing that address first. We will provide it on request.
Please do not report vulnerabilities through public channels (GitHub issues, social media, community forums, or public bug trackers) before we have had the opportunity to address them. Premature public disclosure can put our customers at risk before a fix is in place.
9. What to Include in Your Report
A high-quality report helps us triage and fix issues faster. Please include:
- Description: A clear description of the vulnerability and its potential impact.
- Affected system: The URL, endpoint, API, or component affected.
- Steps to reproduce: Detailed, numbered steps that allow us to reproduce the issue. The clearer this is, the faster we can verify it.
- Proof of concept: Screenshots, screen recordings, HTTP request/response samples, or a working exploit if available — sanitized to remove any actual customer data encountered.
- Impact assessment: Your assessment of who could be affected and how, including worst-case scenario.
- Your contact information: So we can follow up. If you wish to remain anonymous, we will do our best to respond without identifying you.
10. What to Expect from Us
After you submit a valid report:
- Acknowledgment within 3 business days: We will confirm receipt and assign a tracking reference.
- Triage within 10 business days: We will assess the report, request clarification if needed, and confirm whether the issue is accepted as a valid vulnerability.
- Updates during remediation: We will keep you informed of our progress at meaningful intervals. For complex issues, resolution may take longer.
- Coordinated disclosure: We ask that you give us a minimum of 90 days from the date of your initial report before public disclosure, to allow us time to investigate and deploy a fix. If you believe the issue poses an imminent risk and requires immediate action, please flag this clearly in your report.
- Resolution notification: We will let you know when the vulnerability has been resolved so you can verify the fix, if you wish.
11. Our Expectations of You
In exchange for our safe-harbor commitment, we ask that you:
- test only against your own accounts or accounts you have explicit permission to test against — never against accounts belonging to other customers;
- do not access, download, or retain customer data beyond what is minimally necessary to demonstrate the vulnerability;
- do not perform destructive testing, denial-of-service attacks, or any action that degrades the platform for other users;
- keep the vulnerability confidential until we have resolved it and authorized disclosure;
- act in good faith throughout the disclosure process; and
- comply with all applicable laws in the course of your research.
12. Acknowledgments
We believe in recognizing researchers who help us keep our platform secure. With your permission, we will publicly acknowledge your contribution on this page or in our release notes after the vulnerability has been remediated. If you would prefer to remain anonymous, please let us know and we will honor that preference.
We do not currently operate a paid bug-bounty program. We may consider monetary recognition for exceptional reports at our sole discretion.
Thank you for helping make Cash Flow Optimizer more secure for everyone.
Contact: [email protected]
RealtoResource, LLC dba Solidify Solutions — 191 Prescott Lane, Winchester, KY 40391