Introduction

This Security Policy outlines FirstQuadrant Inc.’s (“FirstQuadrant”, “we”, “us”, or “our”) approach to security and how we handle security-related reports and vulnerabilities.

Our commitment to security

We take security seriously and are committed to protecting our users’ data and maintaining the security of our services. We implement industry-standard security measures and regularly review and update our security practices.

Security reporting

We do not currently operate a bug bounty program, but we welcome responsible disclosure of security vulnerabilities and can evaluate on a case by case basis. If you discover a security vulnerability in our services, we encourage you to report it to us directly. We welcome reports of high-impact issues, including (but not limited to):
  • Insecure Direct Object References (IDOR)
  • Cross-Site Scripting (XSS)
  • Server-Side Request Forgery (SSRF)
  • Remote Code Execution (RCE)
  • SQL Injection or command injection
  • Broken access controls or authentication logic
  • Sensitive data exposure (e.g., secrets, tokens, credentials)
  • Misconfigured OAuth or JWT implementations
  • Business logic flaws that could lead to abuse or fraud
These issues must be demonstrated with clear, reproducible steps showing real impact.

Out-of-scope submissions

To help us prioritize effectively, we do not accept or reward submissions for:
  • Missing security headers (e.g., X-Frame-Options, X-XSS-Protection)
  • Open redirects unless exploitable in sensitive flows (e.g., OAuth)
  • Verbose error messages without sensitive data
  • Dangling CNAMEs with no production traffic
  • SPF/DKIM/DMARC misconfigurations
  • Exposed server version banners or stack info
  • Access to robots.txt, .git, or .env without secrets
  • HTTP methods like OPTIONS or TRACE unless abused
  • Clickjacking reports on non-sensitive pages or autocomplete fields
If you believe such issues could be chained into a real exploit, please include a clear proof of concept.

How to report security issues

If you find a security vulnerability, please:
  1. Email your findings to [email protected]
  2. Provide detailed information about the vulnerability
  3. Include steps to reproduce the issue
  4. Share any relevant proof-of-concept code or screenshots
  5. Do not publicly disclose the vulnerability until we have had a chance to address it

What to expect

Upon receiving your report, we will:
  1. Acknowledge receipt of your report within 48 hours
  2. Investigate the reported vulnerability
  3. Keep you informed of our progress
  4. Work to resolve the issue as quickly as possible
  5. Credit you in our security acknowledgments (unless you prefer to remain anonymous)

Guidelines for responsible disclosure

When reporting security issues, please:
  • Do not attempt to access or modify user data
  • Do not attempt to disrupt our services
  • Do not share or publish the vulnerability until we have addressed it
  • Do not attempt to exploit the vulnerability beyond what is necessary to demonstrate it
  • Provide clear, detailed information about the vulnerability

Security acknowledgments

We maintain a list of security researchers who have responsibly disclosed vulnerabilities to us. If you would like to be credited for your report, please let us know when submitting your findings.

Updates

We may update this security policy from time to time. We encourage you to review this policy periodically to stay informed about our security practices and reporting procedures.

Questions

If you have any questions about this security policy or our security practices, please contact us at [email protected].