We want FineFriends to be save
But your help is necessary
The security and privacy of our users is very important to us. Despite our concern for this, there can still be vulnerabilities present. If you happen to find a vulnerability, please report it as soon as possible. If you do this, you can help us on our mission to protect our users. This program is not intended for submitting general issues about FineFriends. Please use the regular support channels for these issues.
See who helped us to keep FineFriends save in the Hall of Fame.
If you comply with the policies below when reporting a security issue to FineFriends, we will not initiate a legal consequences. We ask that:
- You give us enough time to investigate and mitigate an issue you report before making public any information about the report or sharing such information with others.
- You do not interact with an account (which includes modifying or accessing data from the account) if the account owner has not allowed you to do so.
- You do everything you can to avoid privacy violations and disruptions to others, including (but not limited to) unauthorized access to or destruction of data and interruption of our services.
- You do not exploit a security issue you discover. This also includes demonstrating additional risk, such as attempted compromise of sensitive company data or probing for additional issues.
- You do not intentionally violate any other laws or regulations, including (but not limited to) laws and regulations prohibiting the unauthorized access to data.
- You are not authorized to access user data or company data, including (but not limited to) personally identifiable information.
Examples what NOT to do
If you find a vulnerability, do not abuse it. These are some examples of what you are NOT allowed to do:
- Place malware
- Copy, edit or delete data from the system(s)
- Change the system(s)
- Repeatedly gain access to the system or share access with others
- DoS attacks
- Social engineering
Reporting a vulnerability
To report a vulnerability, please create a ticket. Please include a thorough explanation of the vulnerability. You can also send an email to email@example.com.
Please see the following tips when writing your report:
- Write detailed steps explaining how to reproduce the bug. This should include any links you clicked on, pages you visited, URLs, user IDs, etc. Images and video can be helpful if you also include written explanations.
- Clear descriptions of any accounts used in your report and the relationships between them. Please do not use the same name on multiple accounts to avoid confusion.
- Quality before quantity.
If you send a video, consider these tips:
- Keep it short by showing only the parts necessary to demonstrate the bug once. (Remove or redo mistakes that might happen while recording.)
- Record at a resolution where text or URLs are readable.
- Provide commentary or instructions in your messages or video description instead of typing on-screen during the video.
- Setting FineFriends to English while recording steps helps us quickly identify what features you use.
- If a large amount of text appears in your video, please include a copy in your messages as well.
- Keep the video private either by sending it as an attachment or posting it privately online (such as with a hidden link or password that you send to us).
We will respond as soon as possible. Please make sure to keep an eye on your ticket/inbox, as well as your spam folder for replies regarding your report, or add firstname.lastname@example.org to your contact/trusted list! It might be possible that we ask you for more information to help identify or fix the issue faster. We will fix the vulnerabilty as soon as possible.
If your report is valid, we can offer you a place in the Hall of Fame as a reward.
Keep in mind that the official scope for the responsible disclosure does only include FineFriends (websites and apps) and not other (third-party) software like the bugtracker. While we do invite you to research this other software as well, under the same terms as stated above, this does not guarantee a listing in the hall of fame.
Did you not receive an email back after a few days? Please check your spam folder for replies regarding your report!