Vulnerability Disclosure Policy

Introduction

At Feebris, we are committed to strengthening the security of our platform and services, and thus welcome security researchers to disclose any vulnerabilities found directly to us.

This policy describes how Feebris works with the security community in the context of finding and responsibly reporting security vulnerabilities.

It is mandatory that this policy is read prior to reporting any security vulnerability as it clearly describes what is not allowed, what is allowed, and how any vulnerabilities can be reported responsibly. Failing to follow this policy will reduce the chance of a response to your vulnerability report and the chance of an honourable mention or bounty, in case it is applicable.

Conditions

Security researchers must not:

• Disrupt Feebris systems or services;
  
• Modify or destroy data of Feebris systems or services;
  
• Disclose any found vulnerabilities to the public or third parties;
  
• Violate the privacy of Feebris users, employees, systems or services;
  
• Use high-intensity invasive, automatic, or destructive scanning / exploit tools;
  
• Require financial compensation under threat of withholding vulnerabilities or release vulnerability information to the public;
  
• Use malware;
  
• Use the discovered vulnerability in any way beyond proving / demonstrating its existence (e.g. exploit the vulnerability to pivot to internal systems, compromise a system and persistently maintaining access to it, etc); or
  
• Use social engineering, spam or phishing techniques.
  

In order to protect our customers and services, we ask security researchers to securely delete any data retrieved during research as soon as the data is no longer required, or within a month of the vulnerability being resolved, whichever occurs first.

Reporting

If you believe you’ve discovered a security vulnerability in one of our services, please email us at security@feebris.com.

A vulnerability report should contain:

• Detailed description of the discovered vulnerability and its potential impact;
  
• Date and time when the vulnerability was discovered;
  
• Detailed description of the steps required to recreate the vulnerability;
  
• PoC scripts / sample code used to trigger the vulnerability (if any); and
  
• Any additional information, screenshots or recordings.
  

We will:

1. Investigate and verify the presence of the vulnerability;
2. Address the vulnerability, assess it's relative severity and develop a fix, if deemed relevant; and
   
3. Notify you when the vulnerability has been fixed.
   

We also ask for a reasonable time to respond to a report and address the discovered vulnerability. Fixes and mitigations are prioritized depending on the impact severity and ease of exploitation. We will make our best effort to communicate every update throughout the entire process. Researchers are welcomed to inquire about updates within reason (no more than once every 14 days).

If you do find critical information, such as Personal Identifiable Information or financial information, please include the urgency of the matter in the subject line of your email to the Feebris security team.

Out-of-Scope Vulnerabilities

1. TLS/SSL configuration weaknesses (e.g. weak / insecure cipher suites, renegotiation attacks).
2. Vulnerabilities obtained via the compromise of a Feebris customer account or Feebris employee accounts.
3. Denial of Service (DoS / DDoS) attacks against Feebris systems or services.
4. User interface bugs or typos.
5. Login / logout CSRF.
6. Missing HTTP security headers that do not lead directly to a vulnerability.
7. Presence / absence of DNS records.
8. Password, email and account policies (e.g: email id verification, password complexity).
9. Lack of CSRF tokens in non-sensitive actions.
10. Attacks requiring physical access to a user's device.
11. Report the use of a known-vulnerable library (without evidence of exploitability).
12. Missing cookie flags without clearly identified security impact.
13. Open redirectors.
14. CSRF or clickjacking with no practical use to attackers.
15. CSRF that requires the knowledge of a secret.
16. Exposed metrics or other type of not confidential data.
17. Missing best practices, configuration or policy suggestions.
18. Vulnerabilities that require a man-in-the-middle scenario to be exploited.
    

Previously reported vulnerabilities or security vulnerabilities already discovered by internal procedures are not eligible.

Recognition

Vulnerabilities reported and acknowledged to be valid are subject to public recognition of the author on our upcoming Hall of Fame page, depending on the criticality of the vulnerability. Any form of compensation will be considered but will not be guaranteed. This is dependent on the criticality of the vulnerability and the then-current budget.

In addition, security researchers that are able to submit a valuable security vulnerability will be added to our private Bug Bounty Program in the future.

Safe Harbour

Feebris will not take legal action against security researchers who submit vulnerability reports following the terms indicated in this document or for accidental, good faith violations of this policy, as long as the reason for the accidental / good faith violation has been clearly stated.

Legal

Feebris reserves the right to modify the terms and conditions of this policy. By reporting a security vulnerability to Feebris on or after that effective date, you agree to the then-current Terms.