At FormAssembly, our customers entrust us with storing their data and the security of that data is our first priority. We appreciate the role the security research community plays in fulfilling this objective. We are committed to the pursuit of collaborative effort with this community to improve our security and we wish to acknowledge and recognize those who have made an effort to improve our security. If you believe you've discovered a security issue within our guidelines, we encourage you to report the issue to us.
The scope of this program is limited to technical vulnerabilities on FormAssembly related applications and services under the following domains:
Testing is prohibited for the following hostname patterns:
Any reports including these domains will be automatically rejected and the user will be subject to permanent disqualification from this program.
No testing is permitted against production enterprise resources, regardless of
hostname. To test our enterprise application, please use
enterprisedemo.formassembly.com as the target. You may login to this
application as the administrative user
demo with the password
To participate in the FormAssembly disclosure program, you must be the first person to responsibly disclose a previously unknown issue. Our staff will assess each report to determine if it is an eligible disclosure. We strive for a quick response, but we will respond to your report within 30 days. Additionally, we will request up to 90 days to implement a fix depending on the severity and complexity of the report.
Implementing a fix is not the same as releasing a fix. The release of a fix will be determined based upon the severity and complexity of the disclosure. Due to the complexity of deployments at FormAssembly, a release may not occur within the 90 day window. We will keep you updated during this process.
We also believe that 30 day response, 90 day resolution timeline is a reasonable timeline to govern our process. Please allow for this process to complete before publicly disclosing the vulnerability or contents of the report. Public disclosure prior to completion of this process will result in disqualification of your report.
Subject the exclusions below, we appreciate issues related to the FormAssembly infrastructure, FormAssembly user data, FormAssembly application, including, but not limited to:
All reports must contain data to ensure compliance with the disclosure program. We may request additional information to ensure compliance, such as IP address associated with the testing, user accounts created to perform testing, approximate timestamps of testing, and other information related to your testing process. You can help expedite the review process by providing this information in your initial report.
As a general rule, providing as much relevant information in the disclosure will ensure an expedited response. We recommend that you describe the risk identified, justify your submission and its alleged severity, provide a proof of concept, and any other relevant information.
Please do not upload files in an archive format. Upload files individually.
While we will consider submissions involving the following categories, we will not accept disclosures for each unless the disclosure is noteworthy in terms of technical implementation, creativity, severity, or other relevant criteria.
The following conditions are absolutely excluded from this disclosure program. Any submissions of these excluded categories will result in permanent disqualification.