Responsible Disclosure Policy

TaxWallet (“Company”, “we”, “our”) is committed to maintaining a secure platform for tax professionals, taxpayers, financial partners, and enterprise clients. This Responsible Disclosure Policy outlines the authorized method for reporting potential security vulnerabilities.

This Policy applies to all TaxWallet properties, including:

• www.taxwallet.ai (marketing site),

• app.taxwallet.ai (SaaS dashboard),

• TaxWallet mobile applications (iOS & Android),

• API endpoints, integrations, and partner systems.

By engaging in any form of testing or reporting, you agree to comply with this Policy.

TaxWallet uses industry-standard encryption, secure development practices, and continuous monitoring aligned with IRS Publication 4557, NIST CSF, and FTC Safeguards Rule requirements.

While we strive to maintain the highest level of security, no system is entirely free of vulnerabilities. We value responsible researchers who report issues privately and cooperatively.

If you believe you have discovered a security vulnerability, you must report it immediately to:

security@taxwallet.ai

Your report must include, whenever possible:

• A clear description of the issue,

• Steps to reproduce,

• Tools, payloads, or methods used,

• Impact assessment,

• Relevant screenshots or logs.

We acknowledge receipt within 72 hours and will provide updates as appropriate.

ONLY non-destructive, good-faith research is allowed. You agree NOT to:

• Access, modify, or delete any customer or taxpayer data,

• Attempt tax return manipulation or e-file interference,

• Execute denial-of-service (DoS or DDoS) attacks,

• Perform brute-force attacks or credential stuffing,

• Access or attempt to access EFIN-protected data,

• Target banking partners, refund transfer systems, or financial rails,

• Conduct social engineering against employees or users,

• Install malware or attempt exploitation beyond proof-of-concept.

You must stop testing immediately if you encounter live taxpayer or financial information.

The following systems are in-scope:

• TaxWallet mobile apps (iOS/Android),

• app.taxwallet.ai authenticated dashboard,

• Public marketing site and landing pages,

• API endpoints explicitly published for developer use.

The following systems are out-of-scope:

• Partner systems such as Pathward, PaySafe, Authorize.net, IntellyPay, ERO transmitters, or merchant processors,

• Any IRS-operated systems, including MeF,

• Customer infrastructure (tax offices' devices, networks, or hardware),

• Any third-party integrations not controlled by TaxWallet.

Out-of-scope testing may be subject to legal action.

Provided you fully comply with this Responsible Disclosure Policy, TaxWallet will:

• Not pursue legal action under the Computer Fraud and Abuse Act (CFAA),

• Not pursue DMCA claims,

• Not terminate your access unless strictly required.

Safe Harbor DOES NOT apply if:

• You intentionally access personal data,

• You attempt financial or tax-related manipulation,

• You publicly disclose a vulnerability before remediation,

• You violate any applicable laws or conduct harmful activity.

You agree not to share, publish, discuss, or disclose vulnerability details with any third party until TaxWallet has confirmed the issue is resolved and has given written authorization for disclosure.

Unauthorized disclosure voids Safe Harbor protections and may result in legal action.

TaxWallet does not operate a public bug bounty program.

Submission of a vulnerability report does not entitle you to:

• Payment, reward, referrals, employment opportunities, or public recognition.

Any discretionary compensation will be determined exclusively by TaxWallet and is not guaranteed.

Any attempt to exploit a vulnerability beyond minimal, proof-of-concept validation is strictly prohibited.

This includes:

• Data harvesting,

• Attempting to obtain taxpayer records,

• Interfering with ERO operations,

• Manipulating refund calculations or e-file transmissions.

Malicious activity will be referred to law enforcement and relevant regulators immediately.

TaxWallet handles highly sensitive data, including identity documents, tax returns, financial records, signatures, banking workflows, and merchant transactions.

Researchers must NOT attempt to:

• Access private user accounts,

• View tax returns or PDF documents,

• Retrieve stored payment methods (encrypted),

• Interfere with merchant processing or refund transfer systems.

Doing so will void Safe Harbor and may result in permanent platform bans and legal action.

TaxWallet complies with:

• IRS Publication 4557 (Safeguarding Taxpayer Data),

• IRS Publication 1345 (E-File Requirements),

• FTC Safeguards Rule,

• GLBA requirements,

• State privacy regulations.

Researchers must avoid actions that would place TaxWallet or its partners in violation of these rules.

TaxWallet may modify this Responsible Disclosure Policy at any time.

Changes become effective immediately upon publication.

Your continued testing or reporting constitutes acceptance of the updated Policy.

TaxWallet Security & Compliance Office

Email: security@taxwallet.ai

For urgent or high-severity issues, include the subject line: URGENT: SECURITY REPORT.