Listed by the AZ Department of Real Estate
Pro Sign In
Home Fraud Defense™ logo
Home Fraud DefenseReal Estate Fraud ProtectionPowered by Talveras™
Home Fraud Defense app icon

Home Fraud Defense™ — get the app

Free on iOS & Android — tap to download →

Home Fraud Defense™

Responsible Disclosure Policy

How to safely report a security vulnerability.

Version: 1.0

Home Fraud Defense™ Responsible Disclosure Policy

Version: 1.0 Effective Date: May 4, 2026

Home Fraud Defense, LLC ("HFD") values the security research community and welcomes good-faith reports of security vulnerabilities in our websites, mobile apps, APIs, and infrastructure (the "Services"). This Policy describes how to report a vulnerability to us, what we promise in return, and what conduct is and is not authorized.

1. Scope

This Policy applies to vulnerabilities discovered in:

  • The HFD websites at homefrauddefense.org and any subdomains we own and operate.
  • The HFD mobile applications (iOS and Android), including PropSentry™.
  • The HFD APIs we expose for first-party use.

Out of scope:

  • Third-party services we use but do not own (Stripe, Anthropic, Replit, Bunny.net, LearnWorlds, ATTOM, etc.). Report vulnerabilities in those services to the respective vendor.
  • Social-engineering attacks against HFD employees, contractors, or vendors.
  • Physical attacks against HFD property.
  • Denial-of-service attacks, volumetric testing, or any test that would degrade Service availability for other users.
  • Findings that depend exclusively on outdated browser versions or known third-party CVEs without a working proof of concept against our deployment.

2. How to Report

Send your report to:

Email: info@homefrauddefense.org Subject line: "Security Disclosure"

Encrypt sensitive reports using PGP if you wish; request our public key in your initial message and we will provide it.

Include:

  • A clear, reproducible description of the vulnerability.
  • Steps to reproduce, including request payloads, screenshots, or video where applicable.
  • Affected URLs, endpoints, or app versions.
  • Your name and contact information (you may report anonymously, but we cannot then thank you publicly or pay any future bounty).
  • Whether you would like to be acknowledged in our published advisory and, if so, how to credit you.

3. What We Commit To

  • Acknowledge receipt within two (2) business days.
  • Triage and provide an initial assessment within ten (10) business days.
  • Keep you informed of remediation progress at reasonable intervals.
  • Coordinate disclosure timing with you. Our default disclosure window is ninety (90) days from initial report; we will work with you on extension or accelerated disclosure as the facts require.
  • Not pursue legal action against good-faith researchers who comply with this Policy. This includes a commitment to consider your activity as authorized for the purposes of the Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030, the DMCA's anti-circumvention provisions (17 U.S.C. § 1201), and analogous state laws and to waive any DMCA claim against you for related research.

4. Authorized Conduct

You are authorized to:

  • Test against your own accounts, or accounts you have explicit written permission from the account holder to test.
  • Use unauthenticated endpoints in a manner consistent with normal Service use.
  • Report vulnerabilities you have discovered in normal use.

5. Prohibited Conduct

You may not:

  • Access, modify, copy, exfiltrate, or destroy data belonging to other users.
  • Cause Service degradation, downtime, or data loss for other users (no DoS, no large-scale automated scanning that exceeds normal anti-abuse rate limits).
  • Use the vulnerability to access additional systems, data, or accounts.
  • Publicly disclose details of the vulnerability before HFD has had a reasonable opportunity to remediate, unless we agree otherwise.
  • Engage in social-engineering attacks against HFD personnel, contractors, or vendors.
  • Demand payment or threaten extortion in exchange for non-disclosure.

6. Bounty Program

HFD does not currently operate a paid bug bounty program. We may, in our discretion, offer recognition (public acknowledgment, swag) or a discretionary monetary award for material findings. We reserve the right to start, modify, suspend, or end any award program at any time without prior notice; participation in this disclosure process does not create any contractual right to payment.

7. Safe Harbor

To the maximum extent we can grant it under applicable law, we offer the following safe harbor for activity carried out in good-faith compliance with this Policy:

  • We will not initiate or recommend criminal or civil action against you under the CFAA, the DMCA, the Stored Communications Act, or analogous state laws, including the Arizona Computer Tampering statute (A.R.S. § 13-2316).
  • We will not pursue claims for circumvention of access controls under 17 U.S.C. § 1201 with respect to research conducted under this Policy.
  • We will respond promptly and in good faith to any third-party legal inquiry about your research and clarify our authorization.

This safe harbor is not a waiver of HFD's rights with respect to actions outside this Policy or with respect to third parties whose systems may be implicated by your research.

8. Public Acknowledgment

With your permission, we will list you in our published "Security Researchers" credit at /legal/responsible-disclosure/credits after we have shipped a fix or one calendar quarter from initial report, whichever comes first.

9. Updates

We may update this Policy. The effective date at the top reflects the latest version.

10. Contact

Home Fraud Defense, LLC 9362 W Sands Drive, Peoria, AZ 85383 Email: info@homefrauddefense.org (subject line: "Security Disclosure") Telephone: (623) 263-2382

Other legal documents: Terms · Privacy · AI Use · DMCA · Retention · Cookies · Accessibility · Responsible Disclosure

Questions? Contact us.