Verifi

Last updated: March 17, 2026

Responsible Disclosure Policy

Verifi Finance is committed to the security of our systems and the protection of our customers' data. We welcome and encourage security researchers to report potential vulnerabilities in our services.

1. How to Report a Vulnerability

Send vulnerability reports to:

compliance@verifi.finance

Please include the following in your report:

  • Description of the vulnerability
  • Steps to reproduce the issue
  • Potential impact assessment
  • Any proof-of-concept code or screenshots
  • Your contact information for follow-up

2. What We Commit To

  • Acknowledge receipt of your report within 48 hours
  • Provide an initial assessment within 5 business days
  • Keep you informed of remediation progress at regular intervals
  • Notify you when the issue is resolved
  • Credit you as the discoverer (if you wish) once the issue is resolved

3. Safe Harbor

Verifi Finance will not pursue civil or criminal action against security researchers who make a good-faith effort to comply with this policy. We consider activities conducted in accordance with this policy to be authorized. Specifically, we ask that researchers:

  • Avoid privacy violations -- do not access, modify, or delete data belonging to other users
  • Do not exploit the vulnerability beyond what is necessary to demonstrate the issue
  • Do not disclose the vulnerability publicly before we have had a reasonable opportunity to address it (minimum 90 days)
  • Report the vulnerability promptly and do not use it for personal gain

4. Scope

In scope:

  • verifi.finance and all subdomains (*.verifi.finance)
  • Verifi web application and API endpoints

Out of scope:

  • Third-party services hosted by our vendors
  • Social engineering attacks against employees
  • Denial of service (DoS/DDoS) attacks
  • Automated scanning that generates excessive traffic

5. Security Measures

Verifi Finance implements comprehensive security measures to protect customer data:

  • Encryption in transit (TLS 1.3) and at rest (AES-256)
  • GDPR compliant, EU-hosted infrastructure
  • Role-based access controls with multi-factor authentication
  • 24/7 system monitoring, audit trails, and incident response
  • Regular security assessments aligned with ISO 27001 and SOC 2 frameworks

6. Contact

For vulnerability reports and security inquiries: