Vulnerability Disclosure Policy
Vulnerability Disclosure Policy
Last updated: 20/06/2026
Introduction
CredCore Inc. welcomes feedback from security researchers and the general public to help improve our security. If you believe you have discovered a vulnerability, privacy issue, exposed data, or other security issue in any of our assets, we want to hear from you. This policy outlines how to report vulnerabilities to us, what we expect from you, and what you can expect from us.
Systems in Scope
This policy applies to the following digital assets owned, operated, or maintained by CredCore Inc.:
https://credcore.comand its subdomainshttps://api.credcore.com, including the Liquid MCP endpoint at/liquid-mcp/mcp
Testing must be performed using only accounts and data that you own or are explicitly authorized to use. You must not attempt to access, modify, or exfiltrate the financial data, personal information, or account contents of any other CredCore customer.
Out of Scope
The following systems and activities are out of scope under this policy:
Denial-of-service (DoS/DDoS) attacks or resource-exhaustion testing
Social engineering, phishing, or physical attacks against CredCore staff, customers, or facilities
High-volume automated scanning that degrades or disrupts production systems
Attacks requiring a compromised account, stolen credentials, or a man-in-the-middle position
Reports generated solely by automated tools without a demonstrated, exploitable impact
Third-party services that CredCore relies upon but does not own or control, including our identity and authentication provider (Ory) and our hosting and infrastructure providers
Vulnerabilities discovered or suspected in out-of-scope systems should be reported to the appropriate vendor or applicable authority. Assets or other equipment not owned by parties participating in this policy are not covered.
Our Commitments
When you work with us in accordance with this policy, you can expect us to:
Acknowledge your report within 3 business days;
Triage and validate your report, with an initial assessment of severity and impact, within 10 business days, and let you know if we need more information;
Keep you reasonably informed of progress as the issue is processed;
Work to remediate confirmed vulnerabilities in a timely manner, prioritized by risk and within our operational constraints; and
Extend Safe Harbor for vulnerability research conducted under this policy.
These timeframes are good-faith targets, not contractual guarantees.
Our Expectations
In participating in our vulnerability disclosure program in good faith, we ask that you:
Play by the rules, including following this policy and any other relevant agreements. If there is any inconsistency between this policy and any other applicable terms, the terms of this policy will prevail;
Report any vulnerability you’ve discovered promptly;
Avoid violating the privacy of others, disrupting our systems, destroying data, and/or harming user experience;
Use only the Official Channels to discuss vulnerability information with us;
Before publicly disclosing, give us time to remediate: please wait until the earlier of (a) our confirmation that the issue is resolved, or (b) 90 days from your initial report. We are glad to coordinate a disclosure timeline with you;
Perform testing only on in-scope systems, and respect systems and activities that are out of scope;
If a vulnerability provides unintended access to data: limit the amount of data you access to the minimum required to effectively demonstrate a proof of concept; do not store, retain, aggregate, export, or derive additional data from affected systems beyond what that proof of concept requires; and cease testing and submit a report immediately if you encounter any user data, such as Personally Identifiable Information (PII), Personal Healthcare Information (PHI), credit card or financial account data, or proprietary information;
Only interact with test accounts you own or have explicit permission from the account holder to access; and
Do not engage in extortion.
Official Channels
Please report security issues to security@credcore.com, providing all relevant information — a description of the issue, the affected system or endpoint, steps to reproduce, a proof of concept where applicable, and an assessment of potential impact. The more detail you provide, the faster we can triage and fix the issue.
Safe Harbor
When conducting vulnerability research according to this policy, we consider this research to be:
Authorized concerning any applicable anti-hacking laws, and we will not initiate or support legal action against you for accidental, good-faith violations of this policy;
Authorized concerning any relevant anti-circumvention laws, and we will not bring a claim against you for circumvention of technology controls;
Exempt from restrictions in our Terms of Service (TOS) and/or Acceptable Usage Policy (AUP) that would interfere with conducting security research, and we waive those restrictions on a limited basis; and
Lawful, helpful to the overall security of the Internet, and conducted in good faith.
You are expected, as always, to comply with all applicable laws. If legal action is initiated by a third party against you and you have complied with this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through one of our Official Channels before going any further.
Note that Safe Harbor applies only to legal claims under the control of the organization participating in this policy, and that this policy does not bind independent third parties.
Changes to this Policy
We may update this policy from time to time. The current version, indicated by the “Last updated” date above, governs vulnerability research and reporting conducted while it is in effect.