Please contact us if you have found a security vulnerability.

It is our mission to keep our users safe online by providing secure products to protect them and maintain their privacy. We constantly monitor and test our systems but are aware that as a global software company, we will always be a popular target for cybercriminals. We run a responsible disclosure program that offers a reward for an yone finding and reporting to us a vulnerability in our products, website, or system. We take all reports regarding a security issue seriously and will work with you to thoroughly analyze your findings.

If you find any indications of a vulnerability in any of our systems, we kindly ask you to inform us as soon as possible and not to disclose externally until you have done so. This is to ensure that we protect our users by preventing a malicious actor from taking advantage of the situation.

Please follow these steps to make a report:

Report any indications for a potential security vulnerability to FINSA by emailing security@finsa.es.


Provide detailed information about your findings (including available indications, for example, IP addresses, logs, screenshots).

Do not take advantage of the vulnerability or the problem you have discovered, (for instance, attempt to capture, change or delete any more data than necessary to demonstrate the vulnerability).

Do not disclose information about the vulnerability publicly until we have taken action to remediate it.

Once you report a vulnerability to us, we will respond within SEVEN business days to work with you on evaluating the issue and determining next steps.

We will handle your report with strict confidentiality, and will not pass any of your details to any third party without your explicit permission.

We will keep you informed of progress as we resolve the issue.

With your permission, we will credit you by giving your name as the discoverer of the problem (unless you do not want us to), and you will be a proud member of our hacker hall of fame.

What are we looking for:

Cross-site Scripting
Open redirect
Cross-site request forgery
File inclusion
Authentication bypass
Server-side code execution

What is NOT scoring at all:

Missing Cookie flags on non-session cookies or 3rd party cookies
Logout CSRF
Social engineering
Denial of service
SSL BEAST/CRIME/etc
Email spoofing, SPF, DMARC & DKIM.