Security & Vulnerability Disclosure

Last updated: February 16, 2026

The security of our platform and our users' data is a top priority. This page describes our security practices and how to responsibly report vulnerabilities.

Our Security Practices

Rivofin implements comprehensive security measures to protect your data. For a detailed description, see Section 8 of our Privacy Policy. Key measures include:

  • Encryption of data in transit (TLS 1.2+) and at rest (AES-256-GCM)
  • Passwords hashed using scrypt with per-user salts
  • Two-factor authentication (TOTP) available for all accounts
  • Role-based access controls
  • Regular security assessments
  • SOC 2 certified infrastructure providers

Reporting a Vulnerability

If you discover a security vulnerability in our Service, we appreciate your help in disclosing it responsibly. Please report vulnerabilities by email:

Our machine-readable security contact information is available at /.well-known/security.txt.

Scope

The following systems and services are in scope for vulnerability reports:

  • The Rivofin web application at rivofin.com
  • The Rivofin API
  • Authentication and authorization systems
  • Data storage and encryption systems

The following are out of scope:

  • Third-party services and websites not operated by Rivofin
  • Social engineering attacks against Rivofin employees
  • Denial of service attacks
  • Physical attacks against Rivofin infrastructure

Response Timeline

When you report a vulnerability, you can expect:

  • Acknowledgment: Within 3 business days of your report
  • Status update: Within 10 business days with our assessment and expected resolution timeline
  • Resolution: We aim to resolve confirmed vulnerabilities as quickly as possible, prioritized by severity

Safe Harbor

We consider security research conducted in accordance with this policy to be authorized and will not pursue legal action against researchers who:

  • Act in good faith to avoid privacy violations and disruptions to the Service
  • Do not exploit vulnerabilities beyond what is necessary to demonstrate the issue
  • Report vulnerabilities promptly and do not disclose them publicly before we have had a reasonable opportunity to address them
  • Do not access, modify, or delete other users' data

What to Include

When reporting a vulnerability, please include:

  • A description of the vulnerability and its potential impact
  • Steps to reproduce the issue
  • Any relevant screenshots or proof-of-concept code
  • Your contact information for follow-up

Contact

For all security-related inquiries: