FINNY announces the launch of Hunter, your AI Chief Growth Officer →
FINNY

Security Disclosure Policy

Effective date: May 26, 2026

Finny AI takes the security of our platform and the financial advisors and clients we serve seriously. We appreciate the work of security researchers who help us keep Finny safe, and this policy describes how to report a vulnerability and what you can expect from us in return.

Reporting a vulnerability

Please email security@finny.com with:

  • A description of the issue and its potential impact.
  • Steps to reproduce, including any proof-of-concept code, screenshots, or request/response captures.
  • The affected URL, endpoint, or component.
  • Your name or handle if you would like to be credited.

We accept reports in English. If you would like to encrypt your report, please request our PGP key in your initial message and we will provide it.

What you can expect from us

  • Acknowledgement of your report within 3 business days.
  • An initial triage assessment within 10 business days, including a severity rating and our expected remediation timeline.
  • Regular updates on our progress until the issue is resolved.
  • Public credit in our security acknowledgements, if you would like it and once the issue has been remediated.

Safe harbor

We will not pursue legal action against, or ask law enforcement to investigate, security researchers who:

  • Make a good-faith effort to comply with this policy.
  • Report vulnerabilities promptly and do not publicly disclose them before we have had a reasonable opportunity to remediate.
  • Avoid privacy violations, destruction of data, and interruption or degradation of our service.
  • Only interact with accounts they own or with the explicit permission of the account holder.

If legal action is initiated by a third party against you for activities conducted in accordance with this policy, we will make this authorization known.

Scope

In scope:

  • finny.com and its subdomains (e.g. app.finny.com, staging.finny.dev).
  • Finny's first-party APIs and authenticated web application.

Out of scope:

  • Third-party services that integrate with Finny (please report those to the relevant vendor).
  • Social engineering of Finny employees, customers, or vendors.
  • Denial-of-service attacks, volumetric attacks, or anything that degrades service for other users.
  • Physical attacks against Finny offices or personnel.
  • Findings from automated scanners without a demonstrated, exploitable impact.
  • Missing security headers, cookie flags, or best-practice configurations without a demonstrated exploit.
  • Issues that require a fully compromised victim device or root-equivalent access to exploit.

Rules of engagement

When testing, please:

  • Use test accounts you have created. Do not attempt to access another user's data.
  • Stop and report immediately if you encounter personal, financial, or other sensitive data — do not download, store, or share it.
  • Limit testing to the minimum necessary to demonstrate the vulnerability.
  • Do not exfiltrate data, install backdoors, modify production data, or pivot to other systems.

Disclosure

We work with reporters to agree on a coordinated disclosure timeline. By default we ask that you give us 90 days to remediate before public disclosure, though we are happy to discuss shorter or longer windows when the situation warrants it.

Contact

Security reports: security@finny.com

This policy is also referenced from our /.well-known/security.txt file in accordance with RFC 9116.