Responsible Disclosure

Figment welcomes reports from third party security researchers and their help in making our services and platforms more secure.

We are officially LIVE on BugCrowd! This means they will be officially fielding all bug submissions moving forward and we will work with our internal teams to patch/respond to any issues found. Users can reach out to to request access to the program.

Bug Bounties

In case of valid vulnerabilities, we are happy to pay out an appropriate bounty. At this time, we do not have a formal bounty tier and rate list and determine bounty amounts on a case-by-case basis.

Note: This may change in the future

Out of Scope Vulnerabilities

The following vulnerabilities are considered insignificant, and no bounties will be awarded for them:

  • Self-XSS that cannot be used to exploit other users
  • Verbose messages/files/directory listings without disclosing any sensitive information
  • CORS mis-configuration on non sensitive end points
  • Missing cookie flags on non-sensitive cookies
  • Missing security headers which do not present an immediate security vulnerability
  • Cross-site Request Forgery with no or low impact
  • Presence of autocomplete attribute on web forms
  • Tab nabbing and reverse tab nabbing
  • Bypassing rate-limits or the non-existence of rate-limits
  • Best practices violations (password complexity, expiration, re-use, etc.)
  • Clickjacking on pages without sensitive actions
  • CSV Injection
  • Host Header Injection
  • Sessions not being invalidated (logout, enabling 2FA, etc.)
  • Hyperlink injection/takeovers
  • Cross-domain referer leakage
  • Anything related to email spoofing, SPF, DMARC or DKIM
  • Content injection
  • Username / email enumeration
  • E-mail bombing
  • HTTP Request smuggling without any proven impact
  • Homograph attacks
  • XMLRPC enabled
  • Banner grabbing / Version disclosure
  • Open ports without an accompanying proof-of-concept demonstrating vulnerability
  • Weak SSL configurations and SSL/TLS scan reports
  • Not stripping metadata of images
  • Disclosing API keys without proven impact
  • Disclosing credentials without proven impact
  • Arbitrary file upload without proof of the existence of the uploaded file
  • Crashes due to malformed URL Schemes
  • Attacks requiring the usage of shared computers, man in the middle or compromised user accounts
  • Vulnerabilities that are limited to non-current browsers (older than 3 versions) will not be accepted
  • Attacks requiring unrealistic user interaction
  • Spam, social engineering and physical intrusion

Additionally, the following rules apply:

  • Known Vulnerabilities: In case that a reported vulnerability was already known to the company from their own tests, no bounties will be awarded.
  • Theoretical Vulnerabilities: Theoretical security issues with no realistic exploit scenario(s) or attack surfaces, or issues that would require complex end user interactions to be exploited, should not be reported.
  • DoS/DDoS attacks or brute force attacks: These attacks are strictly prohibited and will be reported to relevant law enforcement agencies.
  • Patching delay: We need time to patch our systems just like everyone else – please give us 2 weeks before reporting issues relating to recently disclosed zero-day vulnerabilities in commercial products where no patch or a recent patch (< 2 weeks) is available. 

Out of Scope Domains

Note: Any domains starting with* or* are out of the scope in addition to the list below:

Rules of Engagement

  • Please clean up remnants of your testing and do not interfere with the normal operation of the site.
  • Please do NOT use automatic scanners. We will NOT accept any submissions found by using automatic scanners.
  • Provide detailed but to-the point reproduction steps.
  • Include a clear attack scenario.
  • Recommendations for mitigation are appreciated.
  • Do not exploit the identified leak: only collect the information necessary to demonstrate its existence.
  • Do not change or delete any data or system settings.
  • Handle any found data in a responsible manner: if you can demonstrate that there is a security problem with a small portion, do not go any further.
  • Please do NOT publish/discuss bugs before they are fixed.
  • Remember: quality over quantity!
  • You must be at least 18 years of age; if you are considered a minor where you live, you must have your parent’s or legal guardian’s permission prior to submitting a vulnerability.
  • Only engage in vulnerability testing within the scope of this program. 
  • Do not engage in any activity that can potentially or actually cause harm to Figment, our customers, or our employees.
  • Do not engage in any activity that can potentially or actually stop or degrade Figment’s services or assets.
  • Do not engage in any activity that violates any applicable federal, provincial/ state and/or local laws or regulations in connection with your security research activities or other participation in this vulnerability disclosure program.
  • Do not disclose information related to your findings to any third party or the public without Figment’s prior written consent in each instance.
  • Any and all information acquired or accessed by you as part of this exercise is confidential to Figment and you shall hold the confidential information in strict confidence and shall not copy, reproduce, sell, assign, licence, market, transfer or otherwise dispose of, give or disclose such information to third parties or use such information for any purposes other than for the performance of your work.
  • Do not store, share, compromise or destroy Figment or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact Figment.

Figment will not pursue legal action against you as long as you submit your findings in accordance with the above rules. Figment reserves all legal rights in the event of noncompliance with these rules.

Data exfiltration, continued exploitation, and public disclosure prior to Figment review shall be considered malicious, unauthorised activity, and, in such instances, Figment will pursue legal action against you, including reporting such activity to law enforcement agencies.

Note: Please allow us 10-14 days to investigate bug bounty reports. In addition, please note that payments to security researchers can only be made by Venmo or PayPal at this time. 

By submitting a report, you are indicating that you have read, understand, and agree to the above requirements.

Thank you,

Figment Security.