Install Gamma Trade
Get the full app experience — one tap from your home screen.
Back to Gamma Trade
Legal · Gamma Trade

Vulnerability Disclosure Policy

Last updated: February 8, 2026

Gamma Trade welcomes responsible security research. This policy explains how to report vulnerabilities and what you can expect from us when you do.

1. Reporting a Vulnerability

Please email security@gextrade.fyi with:

  • A clear description of the vulnerability and its potential impact.
  • Steps to reproduce (or a proof-of-concept request / payload).
  • Affected URL(s) or component(s).
  • Your name / handle if you'd like credit (optional).

You may use our PGP key if you want to encrypt the report — request the public key in your first message.

2. Scope

In-scope:

  • https://gextrade.fyi and all sub-domains.
  • The Gamma Trade web application and its public APIs (paths starting with /api/).
  • Authentication, billing, push notification, and Plaid-integration flows.

Out-of-scope:

  • Third-party services we use (Stripe, Resend, Plaid, MongoDB Atlas, Cloudflare) — report directly to the vendor.
  • Findings on staging / preview URLs that are not reachable from the public app.
  • Volumetric DoS / DDoS, social engineering of staff, physical attacks.
  • Reports from automated scanners with no demonstrated impact.
  • Best-practice "missing header" findings (e.g., missing security header that isn't exploitable).
  • Self-XSS that requires the user to paste a payload into devtools.

3. Safe Harbor

If you make a good-faith effort to comply with this policy during your security research, we will consider your activity to be authorized. We will not pursue legal action against you or report you to law enforcement, provided you:

  • Do not access, modify, or delete other users' data.
  • Do not perform testing that degrades the service for other users.
  • Give us a reasonable amount of time (at minimum 90 days, typically longer) to investigate and fix the issue before any public disclosure.
  • Avoid privacy violations, destruction of data, and disruption of services.
  • Comply with applicable laws.

4. Our Commitments

  • We acknowledge receipt of your report within 3 business days.
  • We provide an initial triage / severity assessment within 7 business days.
  • We keep you informed of remediation progress and notify you when the fix ships.
  • With your permission, we credit you publicly in a Hall of Fame on this page after the issue is resolved.

5. Rewards

Gamma Trade does not currently operate a paid bug-bounty program. We may offer swag, account credits, or a public acknowledgment depending on severity and quality of the report.

6. Hall of Fame

Coming soon — we'll list researchers who have responsibly disclosed valid issues here.

© 2026 Gamma Trade. Markets data is delayed and for informational use only — not investment advice.
support@gextrade.fyi

Made with Emergent