Security

Responsible Disclosure

We take security seriously and welcome reports from researchers acting in good faith. This page sets out how to report a vulnerability, what's in scope, and the safe-harbour we offer in return.

How to report

Email info@getlynko.com with:

• A clear description of the issue and its impact.
• Step-by-step instructions to reproduce (a proof-of-concept is ideal).
• The affected URL or endpoint.
• Your name or handle if you'd like public credit, and a contact we can reply to.

PGP is available on request. Please do not file vulnerabilities in public issue trackers.

What we commit to

• Acknowledge your report within 5 working days.
• Triage and confirm severity within 10 working days.
• Fix critical issues within 30 days; lower severity on a risk-based timeline.
• Keep you updated and credit you in our hall of fame on request once a fix has shipped.

Scope

• getlynko.com and all subdomains (*.getlynko.com).
• The Lynko web application and dashboard.
• The Lynko card short-link redirect service.

Out of scope

• Third-party services we use (Stripe, Lovable Cloud, Cloudflare) — please report those directly to the provider.
• Denial-of-service, volumetric, or load-testing attacks.
• Social engineering of Lynko staff, customers, or suppliers.
• Physical attacks against offices or hardware.
• Automated scanner output with no working proof-of-concept.
• Missing best-practice security headers without demonstrated impact.
• Self-XSS, clickjacking on unauthenticated pages, or missing rate-limits without impact.

Rules of engagement

• Test only against accounts you own or have explicit permission to test.
• Never access, modify, or exfiltrate another user's data — stop and report as soon as you can demonstrate access.
• Do not degrade the service for other users.
• Keep details of the vulnerability confidential until we've shipped a fix. We follow a 90-day coordinated-disclosure window.

Safe harbour

If you follow the rules above, we will consider your testing authorised and will not pursue legal action under the UK Computer Misuse Act 1990, our Terms of Service, or related laws. If a third party brings action against you in connection with your good-faith research, we will make it known that your activity was authorised.

Rewards

We don't currently run a paid bounty programme. Valid reports receive public credit (with your permission) and Lynko swag where we can. We'll revisit a paid programme as we grow.

Contact

Security reports or privacy questions: info@getlynko.com.

Last updated: 22 June 2026 · Last reviewed: 22 June 2026 · Version 2026-06-22-v1