Fig Bug Response Program
Fig is a game publisher based in San Francisco, CA. The Fig.co platform allows
individuals to invest in Fig Game Shares, participate in rewards-based
campaigns, and to purchase or pre-order games. The platform also allows the
developers we work with to manage their games on our platform. We encourage
responsible disclosure of security vulnerabilities. We value the positive
impact of your work and thank you in advance for your contribution. This
program does not provide monetary rewards for bug submissions.
If you are able to execute an attack and gain access to our systems, accounts,
or any other type of sensitive data, we ask that you make every effort to not
leak data or damage the integrity of our systems and report the issue
privately to us via this program. Specifically, this means you must:
- Provide us with a reasonable amount of time to fix the issue before publishing it elsewhere.
- Provide us with details (code, endpoints, etc) of the vulnerability so we can find and fix it.
- Make a good faith effort to avoid interruption or degradation of our services.
- Not leak, tamper, or destroy any Fig data.
- Not defraud Fig users or Fig itself (by making fraudulent transactions).
- Not create a large number of user accounts or fake data records.
- Not make financial transfers with compromised user account(s).
Fig maintains the following services which are within the scope of this
- Website (https://www.fig.co/ __). Note that systems we do not control (such as links/redirects to third-party sites) are excluded from the scope of the bounty.
The following are security vulnerabilities which would be relevant for us if
- Authentication bypass or privilege escalation
- Remote code execution
- Sensitive data leakage
- SQL injections
- Accounting errors
- Denial of service not relating to a distributed attack
Out of scope
The following issues are outside the scope of this program and should not be
- No physical attacks against Fig employees, offices, or data centers.
- No social engineering of Fig employees, users, or service providers (phishing).
- No DDoS (SYN floods, Slowloris attacks, etc)
- 3rd-party API integrations with our services.
- Vulnerabilities that are strictly client-side or require physical or malicious access to the user's device.
- Password policy.
- Our blog (https://blog.fig.co __) or presences on social media (Facebook, Twitter, etc).
- This bounty program is only concerned with security-related bugs, please e-mail firstname.lastname@example.org for all other bugs.
Signal to Noise
The following issues are often ambiguous in nature and should be carefully
considered before a report is filed:
- Missing best practices which don't lead to a vulnerability (automated scanners tend to report these)
- Missing security headers (X-XSS-Protection, X-Content-Type-Options, X-Frame-Options, etc)
- Missing CSRF tokens which don't affect the security of the application
- SSL/TLS issues (renegotiation DoS, cipher suites, etc) unless you can demonstrate a practical attack
- Brute force attacks against user chosen passwords
- Throttling rate limits on endpoints which do not require it
In general, reports for these issues should demonstrate practical method(s)
for exploitation. Otherwise, these reports will be closed as non-applicable.
We reserve the right to cancel this program at any time. You must not violate
any law. You also must not disrupt any service or compromise anyone’s data.