Vulnerability Disclosure Policy

Introduction

Free For Charity emphasizes security and user privacy, welcoming responsible vulnerability disclosures from independent researchers.

Safe Harbor

We consider security research conducted under this policy to be authorized and will not initiate legal action against researchers for accidentally violating this policy.

Scope

In Scope

• ffcadmin.org and other Free For Charity admin/training properties
• freeforcharity.org (WordPress)
• freeforcharity.org/hub (WHMCS)
• FFC-managed charity websites and other publicly accessible FFC services

Out of Scope

• Third-party services
• Denial of Service attacks
• Social engineering or physical attacks
• Unverified automated scanner reports
• Issues lacking clear security impact

Reporting Process

Contact us via:

• Email: clarkemoyer@freeforcharity.org
• Text: 520-222-8104

Reports should include a vulnerability description, reproduction steps, proof-of-concept materials, and your contact information.

Response Commitment

We commit to acknowledging reports within 2 business days, validating vulnerabilities, remediating them promptly, and notifying researchers of resolution.

Guidelines

Researchers should avoid data destruction, respect privacy, use only owned test accounts, and immediately report any sensitive data exposure.

Recognition

Valid, responsibly disclosed vulnerabilities receive public acknowledgment on our Security Acknowledgements page.