Vulnerability Disclosure

Overview

FP Validated deeply values the contributions of ethical and responsible security researchers towards enhancing the security and integrity of our products. We openly invite members of the security community to assess the security of our systems for potential vulnerabilities, ensuring that our services remain secure for our customers.

Should you discover a security vulnerability within any of our applications or services, we urge you to inform us. However, we ask that you first familiarise yourself with the guidelines on this page and adhere to the outlined rules and recommendations.

Services in Scope

We consider any FP Validated-owned application or service that processes reasonably sensitive user information as within scope. This encompasses web services hosted under the following domains:

• *.4pillars.io
• *.fpvalidated.io

General Rules

To ensure a productive, secure, and respectful partnership, we advise you to:

1. Use only your own accounts for bug hunting, avoiding any interaction with third-party accounts without the explicit written consent of the account owner.
2. Refrain from actions that could violate privacy, diminish user experience, disrupt production systems, or result in data destruction or manipulation.
3. Limit the exploitation of discovered security vulnerabilities to the minimum necessary for verifying the vulnerability.
4. Submit detailed reports with steps that can be reproduced.
5. Note that we are currently unable to offer monetary rewards, but we extend our sincerest appreciation to researchers dedicated to investigating and reporting security vulnerabilities under this program.

Qualifying Vulnerabilities

Any design or implementation issue that affects the confidentiality or integrity of user data is likely to be considered significant. We are particularly interested in:

• Server-side code execution
• SQL injection
• Unrestricted file system access
• Authentication / Authorization bypass
• Server-side request forgery to internal service
• Cross-site scripting (XSS)
• Cross-site request forgery on sensitive actions
• Sensitive information leakage
• Business logic flaws with high security impact

Non-qualifying Vulnerabilities

Submissions of the following types are unlikely to be reviewed or receive a response:

• Scanner output or reports generated by scanners
• Denial of Service attacks
• Brute Force attacks
• CSV Injection
• Security issues in third-party services not operated by FP Validated
• Vulnerabilities requiring physical access to an unlocked device
• Spam or Social Engineering techniques
• Issues related to Password Policy
• Disclosure of non-sensitive information (e.g. product version, path)
• CSRF on non-significant actions or actions that do not require authentication
• Framing / clickjacking without demonstrated security impact
• Self-XSS without a demonstrated impact on users
• Lack of security mechanism without demonstrated tangible security impact
• SSL / TLS misconfigurations (e.g. weak cipher-suites)
• Vulnerabilities affecting only users of outdated or unpatched browsers
• Insecure cookie settings for non-sensitive cookies
• Bugs that do not pose a security risk

Reporting a Vulnerability

If you have found a vulnerability, please contact us at security@4pillars.io.

To make the review process smooth and effective, please include all technical details required to identify and reproduce the issue. The report should normally include:

1. Vulnerable host or application name
2. Brief description of the issue
3. Brief description of the impact (e.g. unauthorized access, privilege escalation)
4. Link to the calculated CVSS v3.0 rating
5. Steps to reproduce
6. Attack scenario

Public Disclosure

1. Be patient and give us reasonable time to review and fix the issue you have reported. We are committed to fix valid submissions within 90 days.
2. Do not disclose any vulnerability details before a fix has been applied and a reasonable amount of time has been given for users to update.