Security

If you have discovered or believe you have discovered a potential security vulnerability, we encourage you to disclose it in accordance with this responsible disclosure program.

We will work with you to validate and respond to security vulnerabilities that you report to us. Because public disclosure of a security vulnerability could put the entire FusionAuth community at risk, we require that you keep such potential vulnerabilities confidential until we are able to address them. We will not take legal action against you or suspend or terminate your access to any FusionAuth services, provided that you discover and report security vulnerabilities in accordance with this Responsible Disclosure Program. FusionAuth reserves all of its legal rights in the event of any noncompliance.

Please read this carefully to ensure you understand both the allowed and disallowed methods for discovery. FusionAuth reserves all of its legal rights in the event of any noncompliance.

We encourage responsible security research on the FusionAuth website - fusionauth.io, and all sub-domains, FusionAuth Cloud services, and other FusionAuth web services and standalone software libraries. We allow you to conduct vulnerability research and testing on the FusionAuth Cloud services to which you have authorized access. Authorized access includes FusionAuth Cloud services that you have purchased, FusionAuth Cloud account management for your account, or company owned account.

In no event shall your research and testing involve:

1. Accessing, or attempting to access, accounts or data that does not belong to you or your Authorized Users.
2. Any attempt to modify or destroy any data.
3. Executing, or attempting to execute, a denial-of-service attack, whether intentional or unintentional.
4. Sending, or attempting to send, unsolicited or unauthorized email, spam or other forms of unsolicited messages.
5. Testing third party websites, applications or services that integrate with the FusionAuth Cloud services or self-hosted services.
6. Posting, transmitting, uploading, linking to, sending or storing malware, viruses or similar harmful software, or otherwise attempting to interrupt or degrade FusionAuth Cloud services or other FusionAuth web services including the FusionAuth website.
7. Any activity that violates any applicable law.
   

Please take the time to read and understand each of the above points. In the event that you do not have adequate clarity on the method of your discovery, please inquire before proceeding to ensure compliance.

We encourage anyone that believes they have found a security vulnerability in our website, FusionAuth Cloud, FusionAuth, or other FusionAuth web services, to responsibly disclose the issue.

If you can get FusionAuth to do something it isn't supposed to do that causes it to lose data integrity, availability, leak information, or provide unauthorized access to APIs or data - you found a vulnerability and we want to know about it - right now! 🧐

We want to reward you for your efforts in helping us continue to enhance product security. We do this by paying out bounties for security vulnerabilities to the first person to complete a verifiable disclosure. Please review and follow these simple rules before you submit your disclosure.

Please do these things, it will serve us both.

1. Read and carefully review the Discovering Security Vulnerabilities section above.
2. Submit your disclosure to the form provided below.
3. Include a clear description of the vulnerability, how it works and the impact of the exploit.
4. Include a working example, or extensive documentation. Screenshots, or videos may provide supporting evidence, but are not adequate by themselves. The more details the better.
5. Provide proof that the reported vulnerability can be exploited.
6. Verify your claims are correct and valid, each claim should be supported by the documented recreate steps.

Please don't do any of these things, it won't help either of us.

1. Demand status updates on existing submissions. We will do our best to be timely.
2. Ask for ransom, or any suggested bounty. Don't be that guy.
3. Send a link to a best practice unless you can demonstrate a workable exploit that would be solved by the linked content.
4. Describe a theoretical vulnerability, we deal mostly in the real world.

It may take us from 1-2 weeks to review the report and verify the vulnerability. If your report not does not meet the submission guidelines, or does not adequately prove a vulnerability the report will be rejected.

In most cases, when a report is rejected, the FusionAuth security team will respond to ask for additional clarification or evidence. However, if it is clear that the reporter has not invested any reasonable amount of time to follow the submission guidelines, no response will be offered. We value your time and effort, we ask that you do the same for us.

Once we determine a report has identified a real vulnerability you can expect that we will let you know we have accepted your report. If we are able to offer you a bounty, we will communicate the amount, and ask you for preferred payment method. Please note that does not guarantee we can use your preferred method, but we will do our best.

If we can improve this submission guide, provide additional clarification, examples etc., please contact us.