Responsible Disclosure

Our commitment

We take every credible report seriously, investigate promptly, and work to remediate confirmed issues quickly. We will treat your report confidentially, keep you informed of our progress, and not pursue legal action against research conducted in good faith under this policy. Security is a partnership, and we are grateful to the researchers who help us keep customers safe.

Scope

In scope: the Fibric platform, our public web applications and APIs, and the marketing site at our primary domains. We are especially interested in issues that could break tenancy isolation, the fail-closed trust model, authentication, or the integrity of operator actions and receipts.

Out of scope: third-party services and subprocessors we do not control, customer-configured connectors and systems, and anything listed under Out of scope below. When in doubt, ask before testing.

How to report

Email security@fibric.io with enough detail for us to reproduce and assess the issue. A good report includes:

• A clear description of the vulnerability and its potential impact.
• Step-by-step instructions to reproduce it, including affected URLs, endpoints, or components.
• Any proof-of-concept, request/response samples, or screenshots — with sensitive data redacted.
• Your assessment of severity and how to reach you for follow-up.

Please report promptly after discovery and give us a reasonable opportunity to remediate before any public disclosure.

Safe harbor

If you make a good-faith effort to comply with this policy during your research, we will consider your actions authorized, will not pursue or support legal action against you for that research, and will not report it to law enforcement. We will work with you to understand and resolve the issue quickly. This safe harbor does not extend to actions that violate the law, harm others, or fall outside the guidelines below. If a third party brings legal action against you for activity conducted in accordance with this policy, we will make our authorization known.

What to expect

• Acknowledgement — we aim to acknowledge your report within three business days.
• Triage — we validate and assess severity, and may follow up for more detail.
• Updates — we keep you informed of progress through remediation.
• Resolution — we prioritize fixes by risk and coordinate timing with you where disclosure is involved.

Guidelines

To keep customers safe while you research, please:

• Do not exfiltrate data. Access only the minimum needed to demonstrate an issue, and never download, retain, or share data that is not yours.
• Do not disrupt the service. No denial-of-service, resource exhaustion, spam, or automated scanning that degrades availability.
• Respect tenancy and privacy. Do not attempt to access, modify, or correlate other tenants' or individuals' data. Use only your own test accounts.
• Stop and report if you encounter personal data, credentials, or another tenant's information, and delete any incidental copies.
• Keep it confidential until we have remediated and agreed on disclosure.

Recognition

We do not currently operate a paid bug-bounty program, but we are glad to acknowledge researchers who responsibly report valid, previously unknown vulnerabilities — with your permission and after a fix is in place. Let us know how you would like to be credited.

Out of scope

The following are generally not eligible under this policy:

• Reports from automated scanners without a demonstrated, exploitable impact.
• Denial-of-service, volumetric, or rate-limiting findings.
• Social engineering, phishing, or physical attacks against Fibric, its staff, or its customers.
• Missing best-practice headers or configurations with no demonstrated security impact.
• Issues in third-party services, subprocessors, or customer-configured systems we do not control.
• Vulnerabilities requiring a compromised device, rooted environment, or outdated browser.