No technology is perfect, and FetLife believes that working with skilled security researchers across the globe is crucial in identifying weaknesses in any technology. If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.

Response Targets

FetLife will make a best effort to meet the following SLAs for hackers participating in our program:

| Type of Response | SLA in business days |

|------------------------|------------------------------------|

| Time to first response | 5 days |

| Time to triage | 10 days |

| Time to bounty | 15 days |

| Time to resolution | depends on severity and complexity |

Program Rules

• Reports must include concrete and clear reproducible steps that do not require any commercial tools

• Register all accounts using your <hackerone_username>+x@wearehackerone.com address.

• Not interact with other accounts without the explicit consent of their owners.

• Communicate with FetLife's engineering team exclusively via HackerOne.

• Be the first person to report the issue to us. In cases where you submit a vulnerability that is already acknowledged, we will only award a bounty if it: proves to be more extensive, or provides more information.

• If vuln appears to affect multiple domains please include in single report. You will be rewarded correctly as it warrants??

Disclosure Policy

• Let us know as soon as possible upon discovery of a potential security issue, and we'll make every effort to quickly resolve the issue.

• Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or a third-party.

• Make a good faith effort to avoid privacy violations, destruction of data, interruption or degradation of our service.

• Only interact with accounts you own or with the explicit permission of the account holder.

Bounty Reward Program

To show our appreciation of responsible security researchers, FetLife offers a monetary bounty for reports of qualifying security vulnerabilities.

| Vulnerability Type | Average Bounty |

|-------------------------------------------------|----------------|

| Remote Code Execution (RCE) on FetLife Servers | $6,000 |

| SQL Injection (with output) | $4,000 |

| SQL Injection (blind) | $2,000 |

| Significant Authentication Bypass | $1,500 |

| Server Side Request Forgery (SSRF) | $1,000 |

| Local file Inclusion | $500 |

| Stored Cross Site Scripting | $500 |

| Stored Self Cross Site Scripting | $150 |

| Self Cross Site Scripting | $50 |

| Sensitive Data Exposure | $500 |

| Authorization Flaw | $500 |

| Cross-Site Request Forgery (CSRF) | $500 |

| Improper Direct Object Reference (IDOR) | $500 |

| Open Redirect | $150 |

| Privacy Bugs | $100 |

| Other | $100+ |

Out of Scope

We do not consider the following to be eligible vulnerabilities under this program:

• Denial of Service

• Email spoofing

• Spamming

• Rate-limiting

• Click-jacking

• Content spoofing

• SPF, DMARC or other email configuration related issues

• Lack of DNSSEC

• SSL configuration issues

• Disclosure of server or software version numbers

• Generic examples of Host header attacks without evidence of the ability to target a remote victim

• Password or account recovery policies, such as reset link expiration or password complexity

• Theoretical sub-domain takeovers with no supporting evidence

• Perceived security weaknesses without evidence of the ability to target a remote victim. For example credentials are transmitted in POST body as plain text over TLS without demonstrating impact, etc.

• Reports exploiting unsupported browsers

• False reports, or reports lacking evidence of a vulnerability

• Attacks requiring a Man-in-the-Middle, with no other possible exploitation

• CSV injection that affects third-party applications

• Android Application (https://github.com/fetlife/android)

• iOS Application (https://github.com/fetlife/ios

• Configuration issues on end users machines. For example password storage or cache settings.

Disqualifiers

• Interacting with other accounts without the explicit consent of their owners.

• Denial of service

• Social engineering of any kind

• Physical intrusion

• Automated scanning and brute-forcing

• Requests to /ads/serve, /ads/application_serve*, and /ads/click/*

• Overwhelming our support team with messages

• Mentioning PHP

Questions

• You can contact us with any questions at security@fetlife.com

We offer a bounty of up to $5000 for helping us to protect our community.