Cruip Logo

Vulnerability Disclosure Policy

Last updated: 8/10/2024

1. Introduction

At Firewall, we take the security of our systems seriously. We value the input of security researchers and the broader community in helping to maintain high security standards. This policy sets out our commitments and guidelines for responsible vulnerability disclosure.

2. Scope

This policy applies to all Firewall's publicly accessible systems and services, including our website and security platform.

3. How to Report a Vulnerability

If you believe you've found a security vulnerability in one of our systems, please report it to us as soon as possible by emailing support@thefirewall.org. Please include:

  • A description of the vulnerability
  • Steps to reproduce the issue
  • Any proof-of-concept code
  • The potential impact of the vulnerability

4. What to Expect

When you submit a vulnerability report, you can expect:

  • A confirmation of receipt within 24 hours
  • Our commitment to keep you informed as we investigate
  • An update on the outcome of our investigation within 90 days

5. Guidelines

We ask that you:

  • Provide us reasonable time to respond to and mitigate an issue before disclosing it publicly
  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our services
  • Only interact with accounts you own or have explicit permission to access
  • Not engage in extortion or attempt to access non-public data

6. Safe Harbor

We consider security research conducted under this policy to be:

  • Authorized in accordance with the Computer Fraud and Abuse Act (CFAA)
  • Exempt from DMCA prohibition on circumventing technological measures
  • Exempt from restrictions in our Terms & Conditions that would interfere with conducting security research
  • Lawful, helpful to the overall security of the Internet, and conducted in good faith

7. Rewards

While we do not currently offer a paid bug bounty program, we will publicly acknowledge your contribution if you are the first to report a unique vulnerability and we make a code or configuration change based on it.

8. Exclusions

This policy does not apply to:

  • Third-party applications or websites that integrate with our services
  • Issues that are already known to us or have been previously reported

9. Legal

This policy is not a guarantee of legal safe harbor. We may modify the terms of this policy or terminate it at any time.