portfolIQ

Security & Responsible Disclosure

Last updated: 2026-05-23

We take the security of portfoliq.io seriously. If you have discovered a security vulnerability, we encourage you to disclose it responsibly so we can address it quickly.

How to report

Send your report to security@portfoliq.io. Please include:

  • A clear description of the vulnerability and its impact
  • Steps to reproduce (proof-of-concept, if applicable)
  • Affected URLs, parameters, or components
  • Your contact information (email address)

PGP encryption: A PGP key will be published here when available. For now, plain email is accepted — please avoid including sensitive exploit payloads in the initial report.

What to expect

  • Acknowledgement: We aim to acknowledge your report within 3 business days.
  • Assessment: We will assess the severity and impact within 10 business days.
  • Resolution: We target remediation within 90 days for most vulnerabilities. Critical issues (active exploitation, data exfiltration risk) are treated with highest priority.
  • Disclosure: We support coordinated disclosure. We will notify you before publishing any security advisory.

No bug bounty programme is currently active (M0). We appreciate your contribution to the security of our platform.

In scope

  • portfoliq.io — public website and dashboard
  • api.portfoliq.io — REST API
  • Authentication flows, API key management, billing
  • Data integrity — incorrect data returned by endpoints, data exposure

Out of scope

The following are explicitly out of scope for responsible disclosure:

  • Denial-of-service attacks (volumetric DDoS, resource exhaustion)
  • Social engineering, phishing, or attacks targeting portfolIQ employees or users
  • Physical security
  • Issues in third-party services (Stripe, Cloudflare, Hetzner) — please report those to the respective vendors
  • Findings from automated scanners without manual verification
  • Missing security headers considered low-impact (e.g., missing X-Powered-By suppression)

Rules of engagement

  • Do not access, modify, or delete data belonging to other users.
  • Do not perform any action that could impact availability of the service.
  • Use test accounts and test API keys for your research.
  • Do not share or publish vulnerability details before a fix is deployed and we have coordinated on disclosure timing.

Legal

We will not take legal action against security researchers who identify and report vulnerabilities in good faith, following these guidelines. We ask that you act in good faith: do not exploit vulnerabilities beyond what is necessary to demonstrate the issue.

machine-readable security.txt

A security.txt file is available at https://portfoliq.io/.well-known/security.txt per RFC 9116.