Responsible Disclosure welcomes reports from third party security researchers and their help in making our services and platforms more secure.

We are officially LIVE on BugCrowd! This means they will be officially fielding all bug submissions moving forward and we will work with our internal teams to patch/respond to any issues found. Users can reach out to to request access to the program.

Bug Bounties

In case of valid vulnerabilities, we are happy to pay out an appropriate bounty. At this time, we do not have a formal bounty tier and rate list and determine bounty amounts on a case-by-case basis.

Note: This may change in the future

Out of Scope Vulnerabilities

The following vulnerabilities are considered insignificant. No bounties will be awarded for them.

  • Self-XSS that cannot be used to exploit other users
  • Verbose messages/files/directory listings without disclosing any sensitive information
  • CORS mis-configuration on non sensitive end points
  • Missing cookie flags on non-sensitive cookies
  • Missing security headers which do not present an immediate security vulnerability
  • Cross-site Request Forgery with no or low impact
  • Presence of autocomplete attribute on web forms
  • Tab nabbing and reverse tab nabbing
  • Bypassing rate-limits or the non-existence of rate-limits
  • Best practices violations (password complexity, expiration, re-use, etc.)
  • Clickjacking on pages without sensitive actions
  • CSV Injection
  • Host Header Injection
  • Sessions not being invalidated (logout, enabling 2FA, etc.)
  • Hyperlink injection/takeovers
  • Cross-domain referer leakage
  • Anything related to email spoofing, SPF, DMARC or DKIM
  • Content injection
  • Username / email enumeration
  • E-mail bombing
  • HTTP Request smuggling without any proven impact
  • Homograph attacks
  • XMLRPC enabled
  • Banner grabbing / Version disclosure
  • Open ports without an accompanying proof-of-concept demonstrating vulnerability
  • Weak SSL configurations and SSL/TLS scan reports
  • Not stripping metadata of images
  • Disclosing API keys without proven impact
  • Disclosing credentials without proven impact
  • Arbitrary file upload without proof of the existence of the uploaded file
  • Crashes due to malformed URL Schemes
  • Attacks requiring the usage of shared computers, man in the middle or compromised user accounts
  • Vulnerabilities that are limited to non-current browsers (older than 3 versions) will not be accepted
  • Attacks requiring unrealistic user interaction
  • Spam, social engineering and physical intrusion

Additionally, the following rules apply:

  • Known Vulnerabilities: In case that a reported vulnerability was already known to the company from their own tests, no bounties will be awarded.
  • Theoretical Vulnerabilities: Theoretical security issues with no realistic exploit scenario(s) or attack surfaces, or issues that would require complex end user interactions to be exploited, may be excluded.
  • DoS/DDoS attacks or brute force attacks: These attacks are strictly prohibited and will be reported to relevant law enforcement agencies.
  • Patching delay: Recently disclosed zero-day vulnerabilities in commercial products where no patch or a recent patch (< 2 weeks) is available. We need time to patch our systems just like everyone else - please give us 2 weeks before reporting these types of issues.

Out of Scope Domains

Note: Any domains starting with* or* are out of the scope in addition to the list below:

Rules of Engagement
  • Please clean up remnants of your testing and do not interfere with the normal operation of the site.
  • Please do NOT use automatic scanners. We will NOT accept any submissions found by using automatic scanners.
  • Provide detailed but to-the point reproduction steps.
  • Include a clear attack scenario, a step by step guide in the PoC is required.
  • Recommendations for mitigation are appreciated.
  • Do not exploit the identified leak: only collect the information necessary to demonstrate its existence.
  • Do not change or delete any data or system settings.
  • Handle any found data in a responsible manner: if you can demonstrate that there is a security problem with a small portion, do not go any further.
  • Please do NOT publish/discuss bugs before they are fixed.
  • Remember: quality over quantity! considers ethical hacking activities that follow these rules to be “authorized” conduct under criminal law. We will not pursue legal action as long as you comply by these rules, or in case of any accidental, good faith violations.

Data exfiltration, continued exploitation, and public disclosure prior to review shall be considered malicious activity, and not authorized. We will pursue legal action including notification of Law Enforcement.

Note: Please allow us 10-14 days to investigate bug bounty reports, in addition to this, payments to security researchers can only be made by Venmo or PayPal at the moment.

Thank you,

Figment Security.

Light blue dots