Responsible Vulnerability Disclosure Program
Report vulnerabilities and get recognized for keeping Pocket FM safe
How to report a vulnerability
1. Identify the impact
What could this affect? Think about users, data, or the platform; how serious is it?
2. Document the issue
Provide detailed steps to reproduce, expected vs actual behavior, and affected endpoints, flows, or components
3. Attach evidence
Add screenshots, recordings, or logs so we can quickly verify and resolve the issue
4. Send it our way
Submit your report with your contact details. We'll review and follow up if needed.
What could this affect? Think about users, data, or the platform; how serious is it?
Provide detailed steps to reproduce, expected vs actual behavior, and affected endpoints, flows, or components
Add screenshots, recordings, or logs so we can quickly verify and resolve the issue
Submit your report with your contact details. We'll review and follow up if needed.
Found a vulnerability?
Send us a detailed report. Our security team will review and respond within 2 business days. We take every submission seriously.
You can also reach us at vdp@pocketfm.com
We accept reports for vulnerabilities affecting Pocket FM-owned systems, including:
- Mobile applications (Android & iOS)
- Web platform
- Public APIs and backend services
- Content delivery systems (including audio streaming and DRM mechanisms)
- Domains as applicable to App or Web
- https://pocketfm.com
- https://cms.pocketfm.com
- https://flow.pocketfm.com
- https://studio.pocketfm.com
- https://copilot.pocketfm.com
- https://partner.pocketfm.com
- https://www.pocketnovel.com
- https://blaze.pockettoons.com
- https://pocketshort.com
Out of scope
- Previously known breaches/issues or leaked credential dumps
- Open redirects without meaningful impact
- Error messages or debug info without exploitability
- Server fingerprinting
- Public file exposure (e.g., robots.txt)
- Clickjacking without impact
- CSRF on unauthenticated forms
- Logout CSRF
- Missing HTTP security headers
- TLS/SSL configuration issues
- Weak password policy alone
- DNS/email configuration issues (SPF/DKIM/DMARC)
- Non-exploitable host header injection
- Issues requiring non-enumerable IDs
- Content moderation / AI behavior issues without security impact
- Clipboard data leakage
- URI leaks via other apps
- Missing certificate pinning
- HTTPS-secured traffic exposure claims
- Local storage access without privilege escalation
- Code obfuscation issues
- Hardcoded non-sensitive keys
- App crashes without security impact
- Missing exploit mitigations (PIE, ARC, etc.)
- Jailbreak-only attack scenarios
- Local data storage concerns
- Missing obfuscation or anti-debugging
- Pasteboard/snapshot leakage
- App crashes without security impact
- Pocket FM reserves the sole and final discretion to evaluate the validity, severity, and impact of all submitted vulnerability reports.
- This program does not currently offer monetary rewards. Valid submissions may be recognized as part of "Hall of Fame" on this page.
- Duplicate reports or issues already known to Pocket FM may not be eligible for recognition.
- Submissions must comply with the program guidelines. If they don't, it may result in ineligibility for acknowledgment.