Vulnerability Disclosure Policy

Effective date: 1 May 2026

Version 1.0

The security of our systems and the data entrusted to us by our customers and their users is a top priority at Linkrunner. As a mobile measurement and attribution platform, we process attribution, device, and campaign data on behalf of our customers, and we take our responsibility as a data processor seriously.

We value the work of the security research community and believe that responsible disclosure of vulnerabilities makes everyone safer. This policy explains what systems and research are covered, how to report a vulnerability to us, what you can expect from us in return, and the protections we extend to researchers acting in good faith.

This policy is maintained in line with the principles of ISO/IEC 29147 for vulnerability disclosure and ISO/IEC 30111 for vulnerability handling.

1. Our commitment to researchers

If you make a good-faith effort to comply with this policy during your security research, Linkrunner Private Limited will consider your research to be authorized, will work with you to understand and resolve the issue quickly, and will not pursue or support legal action against you in connection with that research.

If legal action is initiated by a third party against you for activities that were conducted in accordance with this policy, we will take reasonable steps to make it known that your actions were authorized under this policy.

This safe harbor applies only to the in-scope systems listed below and only to conduct consistent with the guidelines for researchers. If in doubt about whether a specific action is authorized, contact us at support@linkrunner.io before proceeding.

2. Scope

2.1 Systems in scope

The following production systems owned and operated by Linkrunner are in scope:

  • The Linkrunner public website and contact forms at linkrunner.io
  • The Linkrunner web dashboard at dashboard.linkrunner.io
  • The Linkrunner API at api.linkrunner.io
  • The Linkrunner MCP endpoint at mcp.linkrunner.io, when tested only through accounts, projects, and data you are authorized to access
  • The Android SDK published as io.linkrunner:android-sdk
  • The iOS SDK, including the LinkrunnerKit package and pod

2.2 Vulnerability types we are most interested in

Because we operate a multi-tenant platform, our highest-priority concern is the integrity of tenant isolation. We are especially interested in:

  • Cross-tenant data access, including any flaw that allows one customer to view, infer, or modify another customer's attribution data, campaigns, or account
  • Remote code execution
  • SQL or other injection, including against our data stores
  • Authentication bypass or session/token handling flaws
  • Server-side request forgery
  • Exposure of secrets, credentials, or API keys
  • Exposure of customer or end-user personal data
  • Billing or usage-metering manipulation
  • Privilege escalation
  • Stored or reflected XSS with demonstrable impact
  • Significant misconfigurations of in-scope systems

2.3 Out of scope systems

  • Systems, websites, applications, or provider infrastructure owned, operated, or controlled by a third party, even where they appear under a Linkrunner domain. Platform-level issues should be reported to the relevant provider.
  • Any system not explicitly listed in Section 2.1.
  • The systems, accounts, or data of our customers, partners, or their end users, unless you have written authorization from that customer or partner and you avoid accessing data that is not yours.

2.4 Out of scope vulnerability types

The following are generally not eligible under this policy unless you can demonstrate a concrete, exploitable security impact:

  • Volumetric, denial-of-service, distributed denial-of-service, or resource-exhaustion attacks
  • Social engineering or phishing of Linkrunner staff, customers, or contractors
  • Physical attacks against Linkrunner property or data centers
  • Findings from automated scanners or tools without a working proof of concept
  • Missing security headers, cookie flags, or best-practice configurations without demonstrated impact
  • SPF, DKIM, or DMARC configuration issues
  • Self-XSS, or issues requiring an already-compromised device or unrealistic user interaction
  • Clickjacking on pages with no sensitive state-changing actions
  • Login/logout CSRF, or CSRF on actions with no security impact
  • Rate-limiting concerns on non-authentication endpoints
  • Use of a known-vulnerable library version without a demonstrated exploit on our systems
  • Issues affecting only end-of-life or unsupported browsers or platforms
  • TLS/SSL configuration weaknesses without a demonstrated exploit

3. Guidelines for researchers

To remain within the safe harbor and authorization granted by this policy, you agree to:

  • Test only against the systems listed in Section 2.1, and only to the extent necessary to identify and demonstrate a vulnerability.
  • Avoid accessing, downloading, modifying, or storing personal or customer data. If you encounter such data, stop, do not access it further, and tell us in your report. Where possible, use only test accounts and test data. Contact us if you need a test environment provisioned.
  • Avoid any action that could degrade, disrupt, or damage our systems or the experience of our customers and their users.
  • Not exfiltrate any data beyond the minimum proof of concept required to demonstrate the vulnerability, and securely delete any incidental data you obtain once it is no longer needed for the report.
  • Not use the vulnerability for any purpose other than verification and reporting, and not disclose it to any third party before coordinated disclosure.
  • Comply with all applicable laws, including the Information Technology Act, 2000 and applicable data-protection law.
  • Give us a reasonable opportunity to remediate before any public disclosure.

4. How to report

Send your report to support@linkrunner.io.

To help us triage and reproduce quickly, please include:

  • A clear description of the vulnerability and the affected in-scope system or endpoint.
  • Step-by-step reproduction instructions, including any required preconditions.
  • A proof of concept, such as request/response samples, scripts, or screenshots, sufficient to demonstrate the issue.
  • An assessment of the potential impact, and the CVSS vector if you have one.
  • Your contact details and how you would like to be credited, if applicable.

5. What you can expect from us

We are committed to handling your report promptly and transparently:

  • Acknowledgement within 3 business days of receipt.
  • Triage and an initial severity assessment using CVSS within 10 business days, after which we will confirm whether the report is in scope and validated.
  • Regular updates on remediation progress at reasonable intervals until the issue is resolved.
  • Coordinated disclosure: we ask that you keep the report confidential until we have remediated the issue and agreed on a disclosure timeline. Our target remediation window is 90 days from validation. If we are unable to remediate within the agreed window, we will work with you to agree on a revised timeline rather than leaving the report open-ended.

Internally, validated reports are tracked through our vulnerability-management process, assigned an owner, prioritized by severity, and remediated and verified before closure, consistent with ISO/IEC 30111.

6. Recognition

We are grateful to researchers who help keep Linkrunner secure. With your permission, we are happy to publicly acknowledge your contribution in our Security Hall of Fame.

Linkrunner does not currently operate a paid bug bounty program, and reports submitted under this policy are not eligible for monetary reward. If a paid program is introduced, its scope, severity tiers, and reward ranges will be published separately.

7. Changes to this policy

We may update this policy from time to time. The version and date at the top of this document reflect the current revision. Material changes do not affect the authorization granted for research already conducted in good faith under a prior version.

8. Contact