moretransfer.
Sign Up

Responsible Disclosure Policy

We take security very seriously. Despite our best efforts, vulnerabilities can still occur. If you find one, please report it so we can fix it quickly.

Updated October 14th 2025

1. Overview

At MoreTransfer, the security of our systems and the privacy of our users are among our highest priorities.

We continuously test, review, and improve our infrastructure to keep your data safe - but no system is ever perfect.

If you discover a vulnerability or security issue that could affect MoreTransfer or its users, we ask that you responsibly disclose it to us so we can investigate and fix it quickly.

Please submit findings by emailing support@moretransfer.com with the subject line “Security Vulnerability Disclosure”.

2. Our Commitment to You

  • We will acknowledge receipt of your report within 5 business days.
  • We will not take legal action against you for discovering and responsibly reporting a vulnerability.
  • We will not share your personal details with third parties without your permission.
  • We will keep you informed of the progress toward resolution.
  • We will credit you publicly (if desired) once the issue is verified and resolved.
  • We may, at our discretion, provide recognition or a financial reward depending on the quality and impact of the disclosure.

3. What We Ask of You

  • Report privately. Do not publicly disclose any details of the vulnerability until we confirm it's resolved.
  • Avoid exploitation. Do not access, modify, or delete data that isn't your own.
    • Retrieve only what is necessary to demonstrate the issue.
  • Avoid destructive testing. Do not run denial-of-service (DoS/DDoS), spam, social-engineering, or brute-force attacks.
  • Respect privacy. Do not violate user confidentiality or privacy when investigating vulnerabilities.
  • Provide sufficient detail. Include a clear description of the issue, steps to reproduce it, URLs or endpoints affected, and any proof-of-concept where safe to do so.

Reports without enough detail to reproduce the vulnerability may be deprioritized.

4. Scope

In-Scope Targets

The following domains and applications are covered under this policy:

  • moretransfer.com web application (production environment only)

Out-of-Scope Targets

To help us focus our resources, the following are out of scope:

  • Non-production, staging, or development environments
  • Third-party services we use but do not control (e.g., Stripe, Cloudflare, AWS, R2, or email providers)
  • Social engineering, phishing, or physical security attacks
  • Denial-of-Service (DoS/DDoS) or volumetric traffic testing
  • Reports about missing HTTP headers, TLS configurations, or generic “best practice” issues unless you can show a real, exploitable impact
  • Attacks that require compromised user credentials (unless the vulnerability affects other accounts)
  • Uploading or hosting malware or spam content
  • Vulnerabilities in open-source libraries we use, unless you can demonstrate they are exploitable within MoreTransfer's implementation
  • Automated scanner output without manual validation

5. Evaluation Process

  1. Receipt – We acknowledge your report within 5 business days.
  2. Assessment – Our security team verifies the report and determines its impact and severity.
  3. Remediation – If valid, we begin patching, deploying fixes, and validating the solution.
  4. Recognition – Once resolved, we contact you for disclosure timing, acknowledgment preference.

If the issue is not reproducible or out of scope, we'll inform you with an explanation.

6. Safe Harbor

We consider activities conducted in accordance with this policy to be authorized and in good faith, and we will not pursue or support legal action against you.

This applies as long as:

  • You make a good-faith effort to avoid privacy violations, data destruction, or service disruption; and
  • You report the issue directly to us and allow reasonable time for remediation before public disclosure.

If in doubt about whether an action is within scope, please contact us first.

7. Recognition and Rewards

We value all security research that helps improve MoreTransfer.

For accepted reports, we may offer:

  • Public acknowledgment on our Hall of Fame page (if you wish to be named), and/or
  • A discretionary monetary reward, based on:
    • Severity and impact of the vulnerability,
    • Quality of the report and proof-of-concept, and
    • Whether the issue was responsibly and privately disclosed.

Rewards are granted entirely at our discretion and may be reduced or declined if there is evidence of abuse, incomplete disclosure, or prior public release.

8. Contact

If you believe you have found a security issue, please contact us at support@moretransfer.com. Use encrypted email or a secure channel if your report contains sensitive technical information when possible.