Soni's World LLC, doing business as ResiFactory ("we", "us", or "our"), operates the website at resifactory.net, our customer dashboard, our developer API, and related infrastructure. We take the security of our systems seriously and welcome reports from security researchers. This policy explains how to report a vulnerability, what systems are in scope, the rules we ask you to follow, and what you can expect from us in return. It complements our Terms of Service, Acceptable Use Policy, and Privacy Policy. A machine-readable version of our security contact is published at /.well-known/security.txt.
1Reporting a Vulnerability
If you believe you have found a security vulnerability in a system we operate, please report it to us privately so we can investigate and fix it before it is disclosed publicly.
- Email: [email protected] is our primary channel for security reports.
- Discord: you may also open a private ticket through Discord and ask to be routed to our security contact.
- Abuse and legal notices: non-vulnerability abuse reports and law-enforcement requests can be sent to [email protected].
To help us triage quickly, please include a clear description of the issue and its potential impact, the specific product, URL, or endpoint affected, the steps required to reproduce it (including any proof-of-concept request, script, or screenshot), and any accounts or identifiers you used during testing. Please give us a reasonable opportunity to remediate the issue before disclosing it to others, and do not disclose it publicly until we confirm it has been resolved.
2Scope
The following systems that we own and operate are in scope for this policy:
- Our marketing site and customer dashboard at
resifactory.netand the subdomains we operate; - Our developer API;
- First-party web properties and tools we host under
resifactory.net.
The following are out of scope, and you must not test them under this policy:
- Third-party services we rely on but do not operate, including Discord (login and support), Stripe and our cryptocurrency payment processor, and our content-delivery and infrastructure providers — report issues in those services to their respective vendors;
- Our upstream network and infrastructure suppliers, and the residential, mobile, or datacenter IP addresses reachable through our proxy network;
- The destinations, websites, and services that customers reach through our network, which we neither own nor control;
- The accounts, data, or traffic of any other customer or third party.
If you are unsure whether something is in scope, ask us at [email protected] before testing.
3Safe Harbor for Good-Faith Research
We will not pursue or support legal action against you for security research conducted in good faith and in accordance with this policy. If you make a good-faith effort to comply with this policy during your research, we will consider your testing to be authorized, we will work with you to understand and resolve the issue quickly, and we will not report you to law enforcement or bring a claim against you for accidental, good-faith violations.
This safe harbor applies only to claims within our control. It does not bind third parties, and it does not authorize testing against systems that are out of scope. If a third party initiates legal action against you for activity that complied with this policy, we will make it known that your actions were conducted in accordance with it. You are expected to comply with all applicable laws.
4Rules of Engagement
To keep testing safe for our customers and systems, we ask that you observe the following rules. Testing that does not follow these rules is not authorized under this policy.
- Only test against accounts and data that belong to you, or that you have explicit permission to test;
- Do not access, modify, download, or destroy data that does not belong to you. If you encounter another customer's personal data, stop immediately, do not save or share it, and tell us in your report;
- Do not degrade or disrupt our services. Do not run denial-of-service attacks, volumetric or brute-force testing, spam, or automated scans that generate excessive traffic;
- Do not use social engineering (including phishing), physical attacks against our staff or facilities, or attacks against our employees' personal accounts or devices;
- Do not attempt to pivot into third-party services, upstream suppliers, or customer destinations that are out of scope;
- Use only your own test accounts, and delete any data or resources you create during testing once you are done;
- Keep the details of any vulnerability confidential until we have confirmed it is resolved and have agreed on a disclosure timeline with you.
5What to Expect From Us
When you submit a report in line with this policy, you can expect us to:
- Acknowledge receipt of your report, ordinarily within five (5) business days;
- Work to validate the issue and keep you informed of our progress as we investigate and remediate;
- Prioritize a fix according to the severity and impact of the issue;
- Coordinate with you on the timing of any public disclosure, and credit you for the discovery if you would like to be acknowledged.
We handle any personal information contained in reports in accordance with our Privacy Policy.
6Out-of-Scope Findings and Prohibited Activity
The following are generally not eligible under this policy unless you can demonstrate a concrete, realistic security impact:
- Missing security headers, cookie flags, or best-practice recommendations with no demonstrated exploit;
- Reports generated solely by automated scanners without a working proof of concept;
- Self-inflicted issues ("self-XSS"), clickjacking on pages with no sensitive action, and missing rate limiting on non-authentication endpoints without further impact;
- Denial-of-service, volumetric, or resource-exhaustion findings;
- Vulnerabilities in third-party services, upstream suppliers, or customer destinations that are out of scope under Scope above.
The following activity is strictly prohibited and is never authorized: accessing, exfiltrating, or destroying data that is not yours; disrupting or degrading the service; extortion or threats; publicly disclosing a vulnerability before it is resolved; and any use of a discovered vulnerability beyond the minimum needed to demonstrate it.
7Recognition
We do not currently operate a paid bug-bounty program, and reports under this policy are not eligible for monetary rewards at this time. We are grateful to researchers who help keep our customers safe, and, with your permission, we are happy to publicly acknowledge your contribution once an issue has been resolved. If we introduce a formal reward program in the future, we will update this page.
8Security Contact
Our primary security contact is [email protected]. A machine-readable version of this contact, following RFC 9116, is published at /.well-known/security.txt.
The operating entity is Soni's World LLC, a New York limited liability company doing business as ResiFactory. This policy is governed by the laws of the State of New York, consistent with our Terms of Service.
Last updated: July 11, 2026.