Security disclosure policy

Email security@conto.finance. Include reproduction steps, the affected URL or endpoint, the impact you believe the issue has, and any proof-of-concept code. Plain text is fine. We do not require encryption for the initial report; if you prefer encryption, ask for our PGP key in your first message and we will reply with it.

Please do not file public GitHub issues for suspected vulnerabilities. Please do not post details to social media or public forums until we have agreed on a coordinated disclosure date.

The machine-readable version of this policy is at /.well-known/security.txt per RFC 9116.

• We acknowledge new reports within five business days of receipt.
• We provide a triage update with a severity assessment within ten business days.
• We work toward a fix on a timeline that matches the severity. Critical issues take priority over everything else on the roadmap.
• We coordinate disclosure with you. If you would like attribution in a public advisory or release note, we are happy to do that.
• We do not currently run a paid bug bounty. We do thank researchers publicly with their consent.

The following are in scope:

• conto.finance and its subdomains operated by Conto.
• The Conto SDK packages on npm (@conto/sdk, @conto_finance/mcp-server, @conto_finance/create-conto-agent).
• The Conto API surface, including webhook signing, SDK authentication, and policy evaluation.

The following are out of scope:

• Findings that require non-default browser configurations, physical access, or social engineering of Conto staff.
• Vulnerabilities in third-party services we integrate with (Sponge, Privy, Stripe, Resend, Inngest, Sentry, Upstash, Neon, Vercel). Please report those to the respective vendors. We will cooperate if the issue affects Conto users.
• Best-practice findings without a demonstrated security impact (missing security headers on non-sensitive routes, lack of rate-limit on public marketing pages, theoretical CSRF on idempotent endpoints, and similar).
• Denial of service via traffic volume, resource exhaustion, or application-layer flooding.
• Reports from automated scanners with no manual validation of exploitability.

If you make a good-faith effort to comply with this policy, we will not pursue or support legal action against you for your research. We consider activity that follows this policy to be authorized, and we will work with you to understand and resolve the issue quickly.

To stay within safe harbor, please:

• Only test against accounts you own. Do not access, modify, or exfiltrate data belonging to other Conto customers.
• Stop testing as soon as you confirm a vulnerability and report it. Do not pivot, escalate, or persist beyond what is needed to demonstrate the issue.
• Do not run automated scans that could degrade service for other users.
• Give us a reasonable amount of time to fix the issue before public disclosure.

If you are unsure whether a planned test would fall within this policy, ask first at security@conto.finance.

We track known issues and publish post-fix advisories as part of our release notes. The blog and changelog are the canonical record.