Responsible Disclosure

Figment welcomes reports from third party security researchers and their help in making our services and platforms more secure.

Bug Bounties

Figment believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. We currently have a vulnerability disclosure program in place on BugCrowd, you can find more details here.

Rules of Engagement

  • Required: Must use [username] email alias for any user account testing activity.
  • Please clean up remnants of your testing and do not interfere with the normal operation of the site.
  • Please do NOT use automatic scanners. We will NOT accept any submissions found by using automatic scanners.
  • Provide detailed but to-the point reproduction steps.
  • Include a clear attack scenario.
  • Recommendations for mitigation are appreciated.
  • Do not exploit the identified leak: only collect the information necessary to demonstrate its existence.
  • Do not change or delete any data or system settings.
  • Handle any found data in a responsible manner: if you can demonstrate that there is a security problem with a small portion, do not go any further.
  • Please do NOT publish/discuss bugs before they are fixed.
  • Remember: quality over quantity!
  • You must be at least 18 years of age; if you are considered a minor where you live, you must have your parent’s or legal guardian’s permission prior to submitting a vulnerability.
  • Only engage in vulnerability testing within the scope of this program.
  • Do not engage in any activity that can potentially or actually cause harm to Figment, our customers, or our employees.
  • Do not engage in any activity that can potentially or actually stop or degrade Figment’s services or assets.
  • Do not engage in any activity that violates any applicable federal, provincial/ state and/or local laws or regulations in connection with your security research activities or other participation in this vulnerability disclosure program.
  • Do not disclose information related to your findings to any third party or the public without Figment’s prior written consent in each instance.
  • Any and all information acquired or accessed by you as part of this exercise is confidential to
  • Figment and you shall hold the confidential information in strict confidence and shall not copy, reproduce, sell, assign, licence, market, transfer or otherwise dispose of, give or disclose such information to third parties or use such information for any purposes other than for the performance of your work.
  • Do not store, share, compromise or destroy Figment or customer data. If Personally Identifiable Information (PII) is encountered, you should immediately halt your activity, purge related data from your system, and immediately contact Figment.

Figment will not pursue legal action against you as long as you submit your findings in accordance with the above rules. Figment reserves all legal rights in the event of noncompliance with these rules.

Data exfiltration, continued exploitation, and public disclosure prior to Figment review shall be considered malicious, unauthorised activity, and, in such instances, Figment will pursue legal action against you, including reporting such activity to law enforcement agencies.

Note: Please allow us 10-14 days to investigate vulnerability disclosure reports. In addition, please note that payments to security researchers can only be made by Venmo or PayPal at this time.

By submitting a report, you are indicating that you have read, understand, and agree to the above requirements.

Thank you,

Figment Security.