Security Policy

Vulnerability Disclosure

We take security seriously and appreciate responsible disclosure of vulnerabilities. If you discover a security issue, please contact us through one of the methods below.

Contact Information

Scope

In Scope

  • twofiftypool.com and all subdomains
  • Cross-site scripting (XSS)
  • SQL injection
  • Authentication bypass
  • Server-side code execution
  • Directory traversal

Out of Scope

  • Social engineering attacks
  • Denial of Service (DoS) attacks
  • Brute force attacks
  • Physical attacks
  • Issues requiring physical access
  • Self-XSS that cannot affect other users

Application Information

TFP 250 Pool is a fantasy football application that manages participant entries and scoring for a private fantasy football pool. The application handles:

  • Participant team selections and scoring
  • Real-time NFL data integration
  • Historical season data
  • Public leaderboards and analysis
Data Handling: This application does not store sensitive personal information beyond email addresses for participation coordination. No payment information or sensitive personal data is collected or processed.

Responsible Disclosure Guidelines

  1. Report First: Contact us before publicly disclosing any vulnerability
  2. Provide Details: Include steps to reproduce, impact assessment, and any relevant screenshots
  3. Allow Time: Give us reasonable time to investigate and fix the issue
  4. Avoid Data Access: Do not access, modify, or delete data that doesn't belong to you
  5. Respect Privacy: Do not compromise other users' privacy or disrupt the service

Security Measures

We implement multiple security layers including:

  • HTTPS encryption for all traffic
  • Content Security Policy (CSP) headers
  • HTTP Strict Transport Security (HSTS)
  • Input validation and sanitization
  • Regular security updates and monitoring

Last updated: August 26, 2025