Banner object (1)

Hack and Take the Cash !

844 bounties in database
  Back Link to program      
Fig logo
Hall of Fame


Fig Bug Response Program

Fig is a game publisher based in San Francisco, CA. The platform allows individuals to invest in Fig Game Shares, participate in rewards-based campaigns, and to purchase or pre-order games. The platform also allows the developers we work with to manage their games on our platform. We encourage responsible disclosure of security vulnerabilities. We value the positive impact of your work and thank you in advance for your contribution. This program does not provide monetary rewards for bug submissions.

Responsible Disclosure

If you are able to execute an attack and gain access to our systems, accounts, or any other type of sensitive data, we ask that you make every effort to not leak data or damage the integrity of our systems and report the issue privately to us via this program. Specifically, this means you must:

  • Provide us with a reasonable amount of time to fix the issue before publishing it elsewhere.
  • Provide us with details (code, endpoints, etc) of the vulnerability so we can find and fix it.
  • Make a good faith effort to avoid interruption or degradation of our services.
  • Not leak, tamper, or destroy any Fig data.
  • Not defraud Fig users or Fig itself (by making fraudulent transactions).
  • Not create a large number of user accounts or fake data records.
  • Not make financial transfers with compromised user account(s).


Fig maintains the following services which are within the scope of this program:

  • Website ( __). Note that systems we do not control (such as links/redirects to third-party sites) are excluded from the scope of the bounty.

The following are security vulnerabilities which would be relevant for us if they exist:

  • Authentication bypass or privilege escalation
  • Remote code execution
  • Sensitive data leakage
  • SQL injections
  • Accounting errors
  • XSS/CSRF/click-jacking
  • Denial of service not relating to a distributed attack

Out of scope

The following issues are outside the scope of this program and should not be attempted:

  • No physical attacks against Fig employees, offices, or data centers.
  • No social engineering of Fig employees, users, or service providers (phishing).
  • No DDoS (SYN floods, Slowloris attacks, etc)
  • 3rd-party API integrations with our services.
  • Vulnerabilities that are strictly client-side or require physical or malicious access to the user's device.
  • Password policy.
  • Our blog ( __) or presences on social media (Facebook, Twitter, etc).
  • This bounty program is only concerned with security-related bugs, please e-mail for all other bugs.

Signal to Noise

The following issues are often ambiguous in nature and should be carefully considered before a report is filed:

  • Missing best practices which don't lead to a vulnerability (automated scanners tend to report these)
  • Missing security headers (X-XSS-Protection, X-Content-Type-Options, X-Frame-Options, etc)
  • Missing CSRF tokens which don't affect the security of the application
  • SSL/TLS issues (renegotiation DoS, cipher suites, etc) unless you can demonstrate a practical attack
  • Brute force attacks against user chosen passwords
  • Throttling rate limits on endpoints which do not require it

In general, reports for these issues should demonstrate practical method(s) for exploitation. Otherwise, these reports will be closed as non-applicable.

We reserve the right to cancel this program at any time. You must not violate any law. You also must not disrupt any service or compromise anyone’s data.

FireBounty © 2015-2019

Legal notices