Figured supports the responsible disclosure of security vulnerabilities, as it is one of our top priorities to protect the privacy of our customer's data.
We ask that if external parties find any sensitive information, potential vulnerabilities and/or weaknesses that they please help by disclosing it to us in a responsible manner.
Responsible disclosure is based on four main basic principles:
Both parties will act in good faith to identify and fix security vulnerabilities.
Both parties will ensure they act within the law.
Finders should be able to come to owners directly without relying on a third party without fear of vexatious legal action.
Finders must provide accurate details of the vulnerability, including information needed to reproduce and validate the vulnerability.
We guarantee that if a researcher discloses issues to us in a responsible manner, following the guidelines on this page, then we won't proceed with any legal action.
Staging environment and test accounts
If you are researching security issues, please get in touch so we can set up a staging environment and test accounts that you sign up and control, and limit your testing to those accounts and environment which are under your control. This is to respect the privacy of our other users.
We request that parties do not engage in any of the following:
Attempts to modify/destroy/corrupt other users data in the production environment.
Attempts to (D)DoS Figured products, services or applications.
Any violations of applicable law.
Accessing other users' account details or any other user's private information
We may ask parties to destroy any information they hold that does not belong to them after we have confirmed the vulnerability.
Bug bounty
We do not currently have a paid bug bounty program.
Commitment
Reports submitted to Figured in good faith, and pursuant to this process, will result in Figured’s commitment to the following:
We will acknowledge any person who responsibly discloses bugs/vulnerabilities in our products or infrastructure.
Any information shared with us will be kept confidential within Figured where permitted by law.
Contact us
To start a conversation with the Figured Information Security Team, or to contact us for any other reason, please email us at privacy@figured.com. We will aim to respond within five working days (hopefully sooner!), and will then discuss any timelines for further responses with you.