Vulnerability Disclosure Policy

Email your write-up to security@givealign.com with the subject line VDP — <short summary>.

Please include: a clear reproduction, the affected URL or endpoint, the expected vs. actual behavior, and an estimate of severity (Critical / High / Medium / Low / Informational). One vulnerability per email keeps the response thread tractable.

We aim to acknowledge initial reports within 3 business days, agree on a remediation window within 10 business days, and credit good-faith researchers in the Hall of Fame below once a fix ships.

The GIVE→ALIGN production application, including:

• ✓ https://givealign.com — the PWA and all routes
• ✓ https://givealign.com/api/* — the public API
• ✓ Authentication, payment hand-off (Stripe Checkout), donor session handling, password reset, and admin moderation surfaces
• ✓ Stored data: user accounts, donation intents, click-out audit log, founder transparency ledger

Out of scope:

• ✗ Third-party services we link to (charity websites, IRS Business Master File, Candid, Charity Navigator). Report those to their owners directly.
• ✗ Preview environments at *.preview.emergentagent.com — they hold ephemeral data and unfinished features. Test against production only if scope-relevant.
• ✗ Findings that require physical access, social engineering of our staff, or denial-of-service that disrupts donors.
• ✗ Issues that depend on outdated browsers, unsupported OS versions, or rooted/jailbroken devices.
• ✗ Self-XSS, missing best-practice headers without a concrete exploit, EXIF leaks, and other low-impact pattern matches without proof of exploitability.

We will not pursue civil action, file a criminal complaint, or report a researcher to law enforcement for good-faith security research that:

• • Stays within the scope above and stops at proof-of-concept (no exfiltration of donor data, no destruction of records, no persistent modification of production)
• • Avoids privacy violations, service degradation, and damage to users — if you can demonstrate the bug without doing harm, you must
• • Reports promptly via security@givealign.com and gives us a reasonable disclosure window (we aim for 90 days) before public disclosure
• • Does not violate any other applicable law (we can’t promise safe harbor against statutes outside our control)

We follow the spirit of the disclose.io Core Terms. If you’re unsure whether your planned testing is in scope, email first — we’d rather scope a session than litigate one later.

• ✗ Accessing, downloading, or modifying any donor record beyond what’s strictly necessary to prove the vulnerability
• ✗ Disrupting our service for legitimate donors (denial-of-service, spam, mass scanning that triggers rate-limit lockouts)
• ✗ Demanding payment in exchange for not disclosing (this is extortion, not security research, and we’ll treat it as such)
• ✗ Publishing a vulnerability before we’ve had a reasonable chance to fix it — coordinated disclosure means coordinated

Good-faith researchers who report a confirmed vulnerability and consent to public credit are acknowledged here. This page launches with no entries — be the first.