Vulnerability Disclosure Policy

Introduction

At Fidureon, the security of our systems and our customers' data is a top priority. We appreciate the work of security researchers and believe that a responsible disclosure program is essential to maintaining a secure ecosystem. This policy describes how to report vulnerabilities to us and what you can expect in return.

Guidance / Safe Harbor

If you make a good-faith effort to comply with this policy during your security research, we will:

• Consider your research to be authorized.
• Work with you to understand and resolve the issue quickly.
• Not pursue any legal action or initiate a complaint against you.

Scope

In-Scope:

• Our primary web application: https://app.fidureon.com
• Our corporate website: https://fidureon.com

Out-of-Scope:

• Third-party integrations or sub-processors.
• Social engineering or phishing attacks against our employees.
• Denial of Service (DoS/DDoS) attacks.
• Physical security attacks against our offices or data centers.

Reporting a Vulnerability

Please submit your findings to [email protected]. To help us triage your report, please include:

• A description of the vulnerability and its potential impact.
• Detailed steps to reproduce the issue (Proof of Concept).
• Any tools or environments used during discovery.
• (Optional) Your preferred name or handle for recognition.

Our Commitment

In alignment with the Minimum Viable Secure Product (MVSP) standards:

• Initial Response: We will acknowledge receipt of your report within 3 business days.
• Triage: We will provide an initial assessment of the finding within 10 business days.
• Remediation: We aim to fix critical vulnerabilities within 30 days of confirmation.
• Confidentiality: We ask that you do not disclose the vulnerability to the public or third parties until we have had a reasonable amount of time to address it.