At Marty, the security of our systems, data, and customers is a top priority.
We recognize that security researchers play an important role in helping identify vulnerabilities, and we welcome responsible disclosures made in good faith.
This policy outlines how to report security vulnerabilities to Marty and what you can expect from us in return.
1. Safe Harbor
Marty considers security research conducted under this policy to be authorized and lawful, provided it is carried out in good faith and in accordance with the guidelines below. We will not initiate legal action against individuals who:
Make a good faith effort to comply with this policy
Avoid privacy violations, data destruction, and service disruption
Give us a reasonable amount of time to remediate the issue before public disclosure
This policy does not grant permission to perform activities that are explicitly prohibited below.
2. Scope
In scope
*.marty.hrMarty web application and APIs
Authentication and authorization mechanisms
Data access controls
Out of scope
Denial of Service (DoS or DDoS) attacks
Social engineering, phishing, or physical attacks
Attacks against third-party services or infrastructure providers (e.g. cloud providers, identity providers)
Automated vulnerability scanning that causes service degradation
Testing on accounts or data you do not own or have explicit permission to use
All other staff
3. How to Report a Vulnerability
If you believe you have discovered a security vulnerability, please report it by emailing: [email protected]. Please include, where possible:
A clear description of the vulnerability
Steps to reproduce the issue
Potential impact
Screenshots, logs, or proof-of-concept code (if available)
We will acknowledge receipt of your report within 5 business days.
4. What We Ask From You
We ask that security researchers:
Act in good faith and avoid unnecessary risks
Do not access, modify, or delete data belonging to others
Do not publicly disclose the vulnerability before we have had a reasonable opportunity to address it
Comply with applicable laws and regulations
5. What You Can Expect From Us
Upon receiving a valid report, Marty will:
Acknowledge the report within 5 business days
Investigate and validate the issue
Communicate with you regarding remediation progress where appropriate
Severity & Response Targets
Severity | Example | Target Response |
Critical | Authentication bypass, sensitive data exposure | β€ 72 hours |
High | Privilege escalation, unauthorized access | β€ 5 business days |
Medium | Limited data exposure | β€ 10 business days |
Low | Best practice or hardening issues | As scheduled |
6. Bug Bounty
Marty does not currently offer monetary rewards for vulnerability disclosures. We greatly appreciate the efforts of security researchers and value responsible disclosure as a contribution to improving the security of our platform.
7. Prohibited Activities
The following activities are strictly prohibited:
Distributed Denial of Service (DDoS) attacks
Spamming or brute-force attacks
Social engineering or phishing of employees, contractors, or customers
Physical attacks against offices, hardware, or data centers
8. Policy Changes
Marty may update this Responsible Disclosure Policy from time to time.
The most current version will always be available on our official website.
9. Contact
For questions, feedback, or security concerns, please contact: [email protected].
10. Responsibility
The Security function at Marty is responsible for implementing, maintaining, and enforcing this policy in accordance with our Information Security Management System (ISMS).