Vulnerability Disclosure Policy for Free For Charity

Last Updated: August 31, 2025

Introduction

Free For Charity is committed to ensuring the security of our systems and the privacy of our users. We value the contributions of independent security researchers and believe that responsible disclosure of security vulnerabilities helps us achieve our security goals. This policy outlines how researchers can report vulnerabilities to us, what we promise in return, and the scope of our program.

Safe Harbor

We consider security research conducted under this policy to be authorized and will not initiate legal action against researchers for accidentally violating this policy. We will work with you to understand and quickly resolve issues in a way that is consistent with this policy and our legal obligations. To be covered by this Safe Harbor provision, you must adhere to all guidelines within this policy.

Scope

This policy applies to all digital assets owned, operated, or maintained by Free For Charity, including:

In Scope:

• freeforcharity.org (WordPress)
• freeforcharity.org/hub (WHMCS)
• Any other publicly accessible services hosted under freeforcharity.org

Out of Scope:

• Any third-party services or providers we use.
• Denial of Service (DoS) or Distributed Denial of Service (DDoS) attacks.
• Social engineering (e.g., phishing, vishing) or physical attacks against our employees, users, or infrastructure.
• Reports from automated tools or scanners without manual verification.
• Issues without a clear security impact, such as missing security headers or descriptive error messages (unless they lead to a vulnerability).

How to Report a Vulnerability

If you believe you have discovered a security vulnerability, please contact us immediately:

• Email: clarkemoyer@freeforcharity.org
• Text: 1 520 222 8104

Your report should include:

• A clear description of the vulnerability, including its type and potential impact.
• Step-by-step instructions to reproduce the issue, including any URLs, parameters, and necessary headers.
• Proof-of-concept code, screenshots, or videos to demonstrate the vulnerability.
• Your contact information and, if you wish to be acknowledged, the name or handle you would like to be credited with.

Our Commitment & Process

After you submit a report, we will make every effort to:

1. Acknowledge receipt of your report within 2 business days.
2. Triage and validate the vulnerability. We will notify you of our assessment.
3. Remediate the vulnerability in a timely manner.
4. Notify you when the vulnerability has been resolved.

We ask that you do not publicly disclose the issue until we have had a reasonable amount of time to address it and have granted you permission to do so.

Guidelines & Rules of Engagement

When conducting your research, we ask that you make a good faith effort to:

• Avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
• Only interact with test accounts you own or with an explicit permission from the account holder.
• Cease any testing and report the issue immediately if you encounter any sensitive user data.

Acknowledgements

We believe in recognizing the valuable work of security researchers who help keep our services safe. For valid and responsibly disclosed vulnerabilities, we are pleased to offer a public acknowledgment on our Security Acknowledgements page, with your permission.

Thank you for helping us keep our community safe.