Vulnerability Disclosure Policy

This policy applies to all security vulnerabilities discovered in the following systems operated by Mystocks:

• All *.mystocks.africa domains and subdomains
• Mystocks mobile applications (iOS and Android)
• All Mystocks-operated APIs and backend services
• Investment and trading infrastructure

The following vulnerability types and activities are explicitly excluded from this policy:

• Physical attacks against Mystocks offices or infrastructure
• Social engineering and phishing attacks targeting Mystocks staff or customers
• Denial-of-service (DoS/DDoS) attacks or volumetric testing
• Automated scanner output without a demonstrated proof-of-concept exploit
• Self-XSS vulnerabilities that require a victim to execute their own payload
• Missing HTTP security headers without a demonstrated exploit path
• Best-practice recommendations that do not constitute an actionable vulnerability
• Vulnerabilities in third-party services or libraries outside our direct control

Please send your vulnerability report to security@mystocks.africa. To help us triage and respond quickly, include the following:

• A clear description of the vulnerability and its potential impact
• Step-by-step reproduction instructions
• The affected component, endpoint, or application
• Proof-of-concept code, screenshots, or screen recordings
• Your assessment of the severity and exploitability
• Your preferred contact method for follow-up

We take every report seriously. Here is what you can expect after submitting a vulnerability:

To ensure responsible disclosure and protect all Mystocks users, researchers must adhere to the following guidelines while testing:

• Only test against accounts you own or have explicit permission to test
• Do not access, modify, or exfiltrate data belonging to other users
• Do not perform any actions that could disrupt service availability or harm platform integrity
• Immediately report any accidental access to other users' data and do not retain copies
• Do not publicly disclose vulnerability details until we have confirmed remediation
• Act in good faith — the goal is to improve security, not to cause harm

Mystocks does not currently operate a paid bug bounty programme. We do not offer monetary compensation for vulnerability reports at this time. However, we deeply value the contributions of security researchers who help keep our platform and customers safe. Where a reported vulnerability is validated and resolved, we are happy to publicly acknowledge your contribution — with your consent — in our security hall of fame.

Mystocks will not pursue legal action against security researchers who discover and responsibly disclose vulnerabilities in good faith, in compliance with this policy. We consider responsible vulnerability research to be a valuable contribution to the security of our platform and customers. We pledge to work collaboratively with researchers who follow these guidelines and will not refer matters to law enforcement where disclosure is made in accordance with this policy.