KuppingerColes neuester Bericht über "Passwordless Authentication for Consumers" enthält FUTURAE! Jetzt die Zukunft integrieren – Demo buchen!

We value your privacy

We use cookies to improve your experience on our site through website traffic analysis. To find out more, read our updated privacy policy.

Learn more Accept
Demo anfragen
Policy

Vulnerability Disclosure Policy

Overview

At Futurae we take security, privacy and transparency seriously. If you believe you have found a security vulnerability on Futurae we encourage you to let us know right away.

Scope

This policy applies to security and privacy vulnerabilities found in:

  • All public-facing services provided by Futurae, for example the Futurae APIs (api.futurae.com) and the Admin Dashboard (admin.futurae.com).
  • All software and SDKs provided by Futurae, such as our mobile SDKs.
  • All infrastructure managed by Futurae, including cloud hosting infrastructure, mail servers, file servers, etc.

Reporting

Disclosing a Vulnerability

To report a security vulnerability contact us at: security@futurae.com

Please include the following:

  • A detailed summary of the vulnerability.
  • Steps to reproduce.
  • Affected systems/IP address/Domain.
  • Logs, screenshots.
  • Proof-of-concept code. Note: Please don’t upload code and other materials to public repositories.

Important: We prefer encrypted messages. Our PGP key is available here: https://www.futurae.com/pgp-key.txt

Submitting a Pentest Report

If you are submitting a pentest report containing findings on Futurae, please:

  • Submit the report only to security@futurae.com.
  • Include information about the entity which mandated the penetration test (usually this will be a Futurae customer or partner).
  • Whenever possible, please use our PGP key to encrypt the pentest report and any other sensitive information you wish to share via email.
  • Do not share the report and its findings with other Futurae personnel with whom you may be in contact.

What to Expect from Us

  1. We will acknowledge the report within 5 business days.
  2. We will provide a status update within 10 business days.
  3. We will inform you about the remediation.
  4. We will handle your report with strict confidentiality.

Bug Bounty Program and Rewards

We run a bug bounty program on HackerOne in collaboration with one of our partners who is the owner of the particular program. You can find it here: https://hackerone.com/airlock. The included scope is a subset of what is stated in this policy. Feel free to check the program out, learn more about the scope and the respective rewards and submit your findings through the HackerOne platform.

Good Faith Security Research is accessing a computer solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability, where such activity is carried out in a manner designed to avoid any harm to individuals or the public, and where the information derived from the activity is used primarily to promote the security or safety of the class of devices, machines, or online services to which the accessed computer belongs, or those who use such devices, machines, or online services.

We consider Good Faith Security Research to be authorized activity that is protected from adversarial legal action by us. We waive any relevant restriction in our Terms of Use and/or Acceptable Use Policies that conflicts with the standard for Good Faith Security Research outlined here.

We commit to:

  • Not pursue legal actions against individuals who report vulnerabilities in Good Faith Security Research.
  • Take steps to make known that you conducted Good Faith Security Research if someone else brings legal action against you.

Memo to Researchers

  • Do not exploit the vulnerability beyond what is necessary to prove its existence.
  • Do not attempt to access, modify, or delete data that is not your own.
  • Respect privacy and confidentiality of Futurae and our customers.
  • Do not attempt Denial of Service & Distributed Denial of Service attacks, or any activity that could degrade the availability of our services.
  • After exploitation do not move lateral, leave backdoors, rootkits, scheduled tasks.
  • Do not use social engineering, phishing, or similar techniques against Futurae personnel or users.