If you discover a security vulnerability in transfa, please report it privately so we can fix it before public disclosure.
Do not open a public GitHub issue for security vulnerabilities.
Email: tansfa.sh@gmail.com
Please include:
- A description of the vulnerability and its potential impact
- Steps to reproduce or proof-of-concept (if safe to provide)
- Any suggested mitigations you have in mind
We aim to acknowledge reports within 48 hours and provide a fix or mitigation timeline within 7 days for critical issues.
We're interested in:
- Authentication or authorization bypasses
- File access without a valid link
- Data leakage between users
- Remote code execution
- Denial-of-service via API abuse (provide request samples, not live attacks)
Out of scope:
- Rate limit bypasses that don't expose user data
- Issues requiring physical access to the server
- Attacks against third-party services we integrate with (Stripe, etc.)
- Social engineering
We ask that you:
- Give us reasonable time to fix the issue before public disclosure
- Avoid accessing or modifying data that isn't yours
- Not run automated scanners against the production service without prior consent
We will credit researchers who responsibly report valid vulnerabilities (unless you prefer anonymity).
Only the latest production deployment at transfa.sh is actively maintained.