Reporting a vulnerability
If you believe you have found a security vulnerability, please report it to us privately at security@traderforum.com before any public disclosure. Include enough detail to reproduce the issue — affected URL or endpoint, steps, and any proof-of-concept. We aim to acknowledge reports within 3 business days and to keep you updated as we investigate and remediate.
A machine-readable version of this contact is published at /.well-known/security.txt per RFC 9116.
Safe-harbour
We will not pursue legal action against researchers who act in good faith and in accordance with this policy: test only against your own accounts or with explicit permission, avoid privacy violations and service degradation, do not access or modify other users' data, and give us a reasonable time to remediate before disclosing.
Out of scope
- Denial-of-service (DoS/DDoS) and volumetric testing.
- Social engineering of our staff, users or vendors, and physical attacks.
- Reports from automated scanners without a demonstrated, exploitable impact.
- Missing best-practice headers with no concrete security impact.
How we protect the platform
- Encryption in transit (HTTPS/TLS) across the site, API and embeddable widgets.
- Authentication via established identity providers; session integrity controls.
- Scoped, revocable API keys with origin allow-lists and rate limiting.
- A moderation gate and abuse controls on user-generated content.
- Least-privilege access to infrastructure and routine dependency review.
Data handling
How we collect, use and retain personal data is described in our Privacy Policy, and the developer/API data terms in our Data & API Policy.