Transmute · Legal
Vulnerability Disclosure Policy
Version 1.0 · Effective: July 14, 2026 · Last updated: July 14, 2026
403 Finance, Inc. ("403 Finance," "we," "us") provides Transmute (the "Service"), a hosted API for converting financial messages between SWIFT MT and ISO 20022 formats. We welcome reports from security researchers acting in good faith, and this policy explains how to report a vulnerability and the protections that apply when you do.
1. Our Commitment and Scope
(a) Commitment. We take security seriously, will investigate every good-faith report, and will work to remediate confirmed issues. We will acknowledge your report and keep you reasonably informed of our progress. This policy constitutes the written consent referenced in our Terms of Service and Acceptable Use Policy for good-faith security research conducted within these rules.
(b) In scope. This policy covers the hosted Service (the production API and customer portal) and our public marketing website.
(c) Out of scope. This policy does not cover customer self-hosted or on-premises deployments, which run on customer-controlled infrastructure. It also does not cover third-party services we rely on; please report those to the relevant vendor.
2. How to Report
Email security@403fin.io with enough detail for us to reproduce and assess the issue:
- the affected endpoint, URL, or component;
- a clear description of the vulnerability and its security impact;
- step-by-step reproduction instructions, with any proof-of-concept request or payload; and
- your name or handle if you would like to be credited.
Please use synthetic test data only (for example, published example IBANs and TEST BICs) in any proof of concept, and never real financial or personal data.
3. Safe Harbor
(a) We consider security research and vulnerability disclosure conducted in good faith and in accordance with this policy to be authorized. We will not pursue or support legal action against you for such research, and we will treat it as authorized under applicable computer-fraud and anti-hacking laws and consistent with the terms governing the Service.
(b) To stay within this safe harbor, you must:
- comply with all applicable laws;
- access only data that is your own or clearly synthetic, and not exfiltrate data beyond the minimum needed to demonstrate the vulnerability;
- avoid any privacy violation, data destruction, or degradation or disruption of the Service;
- not test against, access, or affect any other customer's account or data;
- conduct no load, stress, or volumetric testing of any kind, ever;
- ensure that any automated scanning does not exceed five (5) requests per second sustained;
- test only against an account you own on the free or test tier;
- stop immediately at any sign of service degradation;
- not use social engineering, phishing, or physical intrusion against 403 Finance, our staff, or our customers; and
- give us a reasonable opportunity to remediate before any public disclosure.
(c) If you make a good-faith effort to follow this policy, we will regard your research as authorized even if a mistake occurs. If legal action is initiated by a third party against you for activity that complied with this policy, we will make it known that your actions were authorized.
4. Coordinated Disclosure
Please give us a reasonable time to investigate and remediate before disclosing publicly. Our guideline is 90 days from your report, and we are happy to coordinate timing and a joint disclosure where useful. If an issue is being actively exploited or poses serious risk, contact us right away and we will work with you on an expedited timeline.
5. Rewards
We do not currently offer paid bounties. As the business grows we intend to fund a paid program, and if we launch one, we intend to retroactively recognize qualifying reports received before launch. We are grateful for responsible disclosure and, with your permission, will be glad to acknowledge and credit researchers whose reports lead to a fix.
6. Out-of-Scope Examples
The following are generally not eligible under this policy unless you can demonstrate a concrete security impact:
- volumetric or denial-of-service attacks, and load or stress testing;
- reports of spam, or of missing email or anti-spam hardening (SPF/DKIM/DMARC advisories);
- clickjacking on pages with no sensitive action or state-changing function;
- disclosure of software version banners or other non-sensitive fingerprinting;
- missing security headers or best-practice suggestions with no demonstrated exploit; and
- vulnerabilities affecting only outdated or unsupported browsers.
7. Contact
Report vulnerabilities to security@403fin.io. For all other matters, see the contact addresses in our Terms of Service.
Change History
| Version | Date | Summary |
|---|---|---|
| 1.0 | July 14, 2026 | Initial release |