At Marlee, we take the security and privacy of our users seriously. We value the work of the security research community and encourage responsible disclosure of any potential vulnerabilities that could impact our platform, users, or data.

This Vulnerability Disclosure Program (VDP) outlines how to report potential security issues safely and responsibly — and how we commit to handling them.

If you act in good faith and adhere to this policy:

• We will not pursue or support legal action against you for your research activities.
• We will work with you to understand, validate, and remediate the issue promptly.
• We will publicly acknowledge your contribution (if you wish) once the issue is resolved.

The following are in scope for this program:

• *.getmarlee.com and app.getmarlee.com
• *.f4s.com legacy domains
• Our public web application, APIs, and authenticated user experiences
• Mobile apps and integrations we own or operate

Out of scope:

• Third-party services (e.g. payment providers, hosting, analytics)
• Social media accounts
• Denial-of-Service (DoS) or stress tests
• Spam or social engineering targeting Marlee employees or users
• Physical security testing

If you’re not sure whether a system or endpoint is in scope, please ask first: security@getmarlee.com

Please report any vulnerability that could:

• Expose personal or confidential data
• Compromise user authentication or authorization
• Allow remote code execution, privilege escalation, or injection
• Enable cross-site scripting (XSS), CSRF, or clickjacking
• Manipulate or interfere with API functionality or data integrity

To submit a report:

1. Email security@getmarlee.com with:
2. • A concise description of the issue
   • Steps to reproduce or a non-destructive proof of concept (PoC)
   • Impact assessment (what data or functionality could be affected)
   • Your contact details and PGP key (optional)
2. Please avoid:
3. • Accessing, modifying, or deleting data that isn’t your own
   • Running automated scanners or exploit scripts on production systems
   • Sharing details publicly before we resolve the issue

We may ask for additional details or reproduction steps in a sandbox or test environment.

When you report a vulnerability:

1. We will acknowledge receipt within 3 business days.
2. We will triage and verify the issue.
3. We will remediate or mitigate validated issues promptly.
4. We will notify you when the issue is resolved.
   

We will, if appropriate, include your name or handle in our Hall of Thanks page.

We currently do not offer monetary bounties.

However, we do:

• Recognize valid reports on our Hall of Thanks (with your consent).
• Occasionally offer swag or symbolic gifts for critical findings.
  

When we establish a formal bug bounty program, it will be announced publicly.

When conducting vulnerability research under this policy, we consider it authorized if you:

• Comply with this policy and act in good faith;
• Avoid actions that could harm users or services;
• Do not access, modify, or exfiltrate data;
• Do not disrupt or degrade our services.

We will not initiate or support legal action for such good-faith research. This aligns with:

• Australian Criminal Code (Computer Offences, Part 10.7)
• U.S. CFAA “good faith security research” interpretations
• EU / GDPR Recital 49 on network and information security

If you encounter any personal data during your testing:

• Stop testing immediately.
• Do not save, copy, transmit, or share that data.
• Report the finding and the data exposure to security@getmarlee.com immediately.
  

We operate globally under GDPR-aligned data protection standards, so all reports involving personal data must be handled confidentially and lawfully.

We ask researchers to give us a 14-day disclosure window to validate and remediate before public disclosure.
We may request reasonable extensions depending on issue complexity and risk.

© 2025 Marlee Australia Pty Ltd.
Marlee operates under the Fingerprint for Success Group and complies with Australian privacy law and GDPR. This policy does not create any contractual or payment obligation between Marlee and any researcher.