Security & Vulnerability Disclosure

We welcome responsible reports of security vulnerabilities affecting Prospera Loans. This page describes how to contact us, what information to include, the boundaries for good-faith testing, and how we handle valid reports.

Effective date: April 16, 2026

Last updated: April 16, 2026

1. Contact and Reporting Channel

Please send security reports to developer@prosperaloans.co.za.

Use this address for suspected vulnerabilities in our public website, borrower portal, admin portal, authentication flows, APIs, or related security controls. Do not use the general complaints process for security issues unless you cannot reach the reporting channel.

Our published machine-readable disclosure file is available at https://prosperaloans.co.za/.well-known/security.txt.

2. What to Include in a Report

A high-quality report should include:

  • A clear summary of the issue and the affected endpoint, page, or workflow.
  • Step-by-step reproduction details, including prerequisites and user role assumptions.
  • The security impact, including what confidentiality, integrity, or availability risk exists.
  • Proof-of-concept requests, screenshots, logs, or payloads that demonstrate the issue safely.
  • Your assessment of severity and any recommended remediation if available.

If you believe customer, borrower, or admin data may be exposed, minimize access, preserve evidence responsibly, and report the issue immediately.

3. Scope and Testing Expectations

This policy applies to Prospera-controlled public web properties and application workflows, including loan application, borrower servicing, authentication, and administrative surfaces that we operate directly.

When testing, we ask researchers to avoid:

  • Accessing, altering, deleting, or retaining non-public customer or employee data.
  • Actions that could degrade availability, trigger denial-of-service conditions, or disrupt borrowers.
  • Credential stuffing, brute force activity, spam, phishing, social engineering, or physical attacks.
  • Persistent changes to accounts, balances, repayment records, or regulated borrower workflows.
  • Testing against third-party services unless the issue is clearly within our direct control.

Nothing on this page authorizes destructive testing, privacy violations, or activity that would exceed what is reasonably necessary to confirm a vulnerability.

4. How We Handle Reports

We review submitted reports, validate the issue, assess business and security impact, and route confirmed findings through our internal remediation process.

Our target operating timelines are:

  • Acknowledge receipt within 3 business days.
  • Provide an initial triage outcome or follow-up questions within 10 business days.
  • Prioritize remediation according to severity, exploitability, and regulatory or customer impact.

Complex issues may require longer investigation or coordinated remediation windows, especially where financial systems, identity controls, or third-party dependencies are involved.

5. Disclosure and Communications

We ask reporters to avoid public disclosure until we have had a reasonable opportunity to investigate and remediate the issue. If coordinated disclosure is appropriate, we will discuss timing once the issue is validated.

We do not publish a standing bug bounty or guaranteed reward program unless separately announced in writing.

6. Recognition

Where appropriate and with the reporter's consent, we may acknowledge meaningful, responsibly disclosed findings after remediation or acceptance of risk.

Recognition is discretionary and depends on report quality, originality, and whether the finding was submitted in line with this policy.

7. Related Policies

For personal-information handling and breach-response context, review our Privacy Policy. For general service complaints, use our Complaints Procedure. This disclosure page is not a substitute for regulated complaints or customer support channels.