Introduction
This Security Policy outlines FirstQuadrant Inc.’s (“FirstQuadrant”, “we”, “us”, or “our”) approach to security and how we handle security-related reports and vulnerabilities.Our commitment to security
We take security seriously and are committed to protecting our users’ data and maintaining the security of our services. We implement industry-standard security measures and regularly review and update our security practices.Security reporting
We do not currently operate a bug bounty program, but we welcome responsible disclosure of security vulnerabilities and can evaluate on a case by case basis. If you discover a security vulnerability in our services, we encourage you to report it to us directly. We welcome reports of high-impact issues, including (but not limited to):- Insecure Direct Object References (IDOR)
- Cross-Site Scripting (XSS)
- Server-Side Request Forgery (SSRF)
- Remote Code Execution (RCE)
- SQL Injection or command injection
- Broken access controls or authentication logic
- Sensitive data exposure (e.g., secrets, tokens, credentials)
- Misconfigured OAuth or JWT implementations
- Business logic flaws that could lead to abuse or fraud
Out-of-scope submissions
To help us prioritize effectively, we do not accept or reward submissions for:- Missing security headers (e.g., X-Frame-Options, X-XSS-Protection)
- Open redirects unless exploitable in sensitive flows (e.g., OAuth)
- Verbose error messages without sensitive data
- Dangling CNAMEs with no production traffic
- SPF/DKIM/DMARC misconfigurations
- Exposed server version banners or stack info
- Access to robots.txt, .git, or .env without secrets
- HTTP methods like OPTIONS or TRACE unless abused
- Clickjacking reports on non-sensitive pages or autocomplete fields
How to report security issues
If you find a security vulnerability, please:- Email your findings to [email protected]
- Provide detailed information about the vulnerability
- Include steps to reproduce the issue
- Share any relevant proof-of-concept code or screenshots
- Do not publicly disclose the vulnerability until we have had a chance to address it
What to expect
Upon receiving your report, we will:- Acknowledge receipt of your report within 48 hours
- Investigate the reported vulnerability
- Keep you informed of our progress
- Work to resolve the issue as quickly as possible
- Credit you in our security acknowledgments (unless you prefer to remain anonymous)
Guidelines for responsible disclosure
When reporting security issues, please:- Do not attempt to access or modify user data
- Do not attempt to disrupt our services
- Do not share or publish the vulnerability until we have addressed it
- Do not attempt to exploit the vulnerability beyond what is necessary to demonstrate it
- Provide clear, detailed information about the vulnerability