FUR4 Responsible Disclosure & Bug Bounty Program
Security is a top priority at FUR4.
We appreciate the efforts of the security community in helping us maintain the safety and trust of our platform. If you’ve discovered a vulnerability in our systems, we want to hear from you.
This program is designed to recognize security researchers who responsibly disclose vulnerabilities that could affect the privacy, integrity, or availability of our systems or users.
⸻
Program Overview
We encourage responsible disclosure of any security issues found in:
• www.fur4.com and all public subdomains
• Our customer, dealer, referral, and owner portals
• Public APIs and mobile apps (if applicable)
• Any services directly owned or operated by FUR4
⸻
What We’re Looking For
We reward vulnerabilities that are:
• Previously unknown
• Within scope
• Able to be reproduced and verified
In-Scope Vulnerabilities
• Authentication bypass
• Remote code execution (RCE)
• SQL injection
• Cross-site scripting (XSS)
• Privilege escalation
• Sensitive data exposure
• Access control issues
Out-of-Scope Issues
• Denial of service (DoS)
• Rate limiting or brute-force attacks
• Social engineering
• SPF/DMARC misconfigurations
• Clickjacking
• Vulnerabilities in outdated browsers or plugins
⸻
Reward Tiers
Rewards vary based on severity, exploitability, and business impact.
Severity Reward Range
Low $50 – $150
Medium $200 – $500
High / Critical $1,000+
Note: Not all valid reports qualify for a bounty. Reward amounts are determined at our discretion.
⸻
How to Submit a Report
Please include:
• A clear description of the issue
• Step-by-step instructions to reproduce
• Screenshots or proof-of-concept code
• Affected endpoint(s) or asset(s)
Send your report to: [email protected]
⸻
Rules of Engagement
• Do no harm. Never exploit the vulnerability beyond proof-of-concept.
• Respect privacy. Do not access or alter user data.
• No automated scans. Excessive traffic may result in IP bans.
• Wait for remediation. Do not publicly disclose vulnerabilities before we’ve resolved them.
⸻
Recognition
If your report is valid and results in a fix, we’ll:
• Reward you financially (if eligible)
• Thank you publicly (optional)
• Offer early access to new platform features and security testing previews