Our public security program.
Coordinated disclosure, bug bounty, response timelines, and the leaderboard. Run by Stinger Security, our in-house offensive security team.
How to report a vulnerability.
Email: security@plutobee.com. PGP key on request.
Standard window: 90 days from confirmed receipt to public disclosure. Extendable on mutual agreement for active exploitation or customer impact.
Acknowledgment: Within 1 business day. Hall of fame listing in this page after remediation.
Scope: All Plutobee-operated domains (*.plutobee.com), product properties (*.jaxsuite.com, *.file.business, *.troyfunds.com, *.flfiling.com), Hive NFT smart contracts on Solana mainnet.
Out of scope: Customer-deployed instances (please report to the customer directly), third-party SaaS we use, social engineering.
Patching commitments.
Critical (RCE, auth bypass, data exposure): Patch within 24 hours. Customer notification within 4 hours of confirmed report.
High (escalation, XSS in authenticated paths, IDOR): Patch within 7 days. Customer notification within 24 hours.
Medium (info disclosure without PII, CSRF on low-impact paths): Patch within 30 days.
Low (configuration improvements, best-practice violations): Patch within 90 days.
Researchers who helped us improve.
(Updated quarterly. Researchers are listed by their preferred name or handle. Crediting is at researcher discretion.)
2026 Q1: 3 critical findings (1 chained RCE in checkout, 1 IDOR in admin, 1 broken access control). All patched within SLA. Researchers credited: bayraktarx, _qed, n4ptr1c.
2025 Q4: 4 high findings (3 XSS, 1 SSRF). All patched within SLA. Researchers credited: c0re-hunter, leila_b, redshift_kira, _qed.
Want to be on this list?
Find something, report it. We respond within one business day.
View security.txt →