Security Disclosure

Risk Disclosure

Report Misconduct

Disclaimer

Complaints

Cookie Notice

Security Disclosure

Promo Rules

Click to view the Legal Documents menu

Security Vulnerability Disclosure Policy

We take the security of our systems and services seriously and value the global security community. Responsible disclosure of security vulnerabilities helps us protect our clients, partners, and employees' safety and privacy.

Guidelines

If you adhere to these guidelines when reporting issues to us, we commit to:

Not pursuing or supporting legal actions related to your responsible investigation and reporting of such issues
Collaborating with you to swiftly understand and remediate the reported issue (including an initial acknowledgement within 72 hours of report submission)
Acknowledging your contribution if you are the first to report the issue and we make code or configuration changes based on it

We ask all security researchers to:

Make every effort to avoid compromising privacy, degrading user experience, disrupting production systems, or destroying data during security analysis
Limit testing strictly within the defined scope
Only use the minimal level of exploit necessary to demonstrate the vulnerability and cease testing once proven
Refrain from data exfiltration, establishing command line access and/or persistence, or redirecting to third-party systems
Report the vulnerability to us via the designated communication channels listed below

Scope

https://www.afttmarkets.com

Out of Scope

Any services hosted by third-party providers are out of scope. These include:

News feeds
Market price feeds

To ensure safety for users, employees, the wider internet, and researchers, the following testing types are excluded from scope:

Physical attacks such as office access (e.g., badge tailgating)
Social engineering discoveries (e.g., phishing or vishing)
Findings from applications or systems not listed in the 'Scope' section
UI/UX bugs and typographical errors
Denial-of-service (DoS/DDoS) vulnerabilities
Missing cookie flags or HTTP security headers
Spam via web form submissions

We do not wish to receive:

Personally Identifiable Information (PII)
Financial data (e.g., credit card or bank account numbers)
Automated scanner results without contextual analysis

Reporting Security Concerns

If you believe you have discovered a security issue within any of our products or platforms, please email us at[email protected]with the following details:

A description of the location and potential impact of the issue
Detailed reproduction steps (including POC scripts, screenshots, and screen recordings where possible)
Your name/alias and, optionally, a recognition link for our Security Hall of Fame

Coordinated Disclosure

We strive to resolve issues within 90 days or sooner. Please note that public disclosure before resolution may increase risk exposure. For the protection of our stakeholders, we request that you refrain from public or third-party disclosure until the issue has been addressed and relevant parties have been informed.

Where applicable, we aim to coordinate the timing of public disclosure with you upon confirmation and remediation.