Security Policy

FUR4 Responsible Disclosure & Bug Bounty Program

Security is a top priority at FUR4.
We appreciate the efforts of the security community in helping us maintain the safety and trust of our platform. If you’ve discovered a vulnerability in our systems, we want to hear from you.

This program is designed to recognize security researchers who responsibly disclose vulnerabilities that could affect the privacy, integrity, or availability of our systems or users.

⸻

Program Overview

We accept responsible disclosure of legitimate, exploitable security vulnerabilities that materially impact the security, privacy, or financial integrity of our systems.

This program is not intended for automated scans, speculative findings, best-practice suggestions, or low-effort reports.
Submissions that do not demonstrate real-world exploitability and impact will be rejected without response.

⸻

Eligibility Requirements (Read Carefully)

To be eligible for a bounty, all of the following must be true:
• You are 18 years of age or older
• You are not:
• A current or former employee
• A contractor, subcontractor, or vendor
• An affiliate, partner, advisor, or consultant
• Employed by or affiliated with any company that has provided development, security, QA, DevOps, or infrastructure services to us
• You are not acting on behalf of any affiliated individual or company
• You can legally participate in a bug bounty program under all applicable laws

Any submission that violates these eligibility requirements is automatically disqualified.

⸻

Scope

In-Scope
• Production web applications and APIs owned and operated by us
• Authentication and authorization mechanisms
• Account access controls
• Payment, checkout, and order flows
• User data exposure and privacy controls

Out-of-Scope
• Denial-of-Service (DoS/DDoS) or traffic flooding
• Social engineering, phishing, or pretexting
• Physical security attacks
• Third-party systems and dependencies (including but not limited to AWS, Stripe, Twilio, Deel)
• Missing security headers or best-practice-only findings
• Self-XSS or clickjacking without sensitive impact
• Issues requiring unrealistic or impractical user interaction
• Rate-limiting observations without demonstrated exploitation

⸻

Reporting Requirements

Valid reports must include:
• Clear description of the vulnerability
• Exact, reproducible steps to exploit
• Proof of exploitability and real-world impact
• Supporting evidence (screenshots, logs, or proof-of-concept)

We will reject reports that are:
• Automated scan output
• Duplicate reports
• Vague, speculative, or theoretical
• Previously known, already reported, or already mitigated

Prohibited Actions

Do not:
• Access or modify data beyond what is strictly necessary to demonstrate impact
• Attempt lateral movement or persistence
• Disrupt production services
• Publicly disclose vulnerabilities before remediation is complete and authorized

⸻

Duplicate Reporting & First-Reporter Rule
• Bounties are awarded only to the first eligible reporter who submits a valid, complete, and reproducible report for a given vulnerability.
• Duplicate reports receive no bounty, regardless of quality or detail.
• Timestamp of receipt determines priority.
• We do not split or share rewards between multiple reporters.

⸻

Severity Levels & Rewards

Bounties are awarded at our sole discretion, based on actual impact, exploitability, and scope.

🔴 Critical — $300–$500

Examples:
• Authentication bypass
• Account takeover
• Unauthorized access to sensitive user data
• Payment, order, or pricing manipulation

🟠 High — $150–$300

Examples:
• Privilege escalation
• IDOR with sensitive data exposure
• Stored XSS with real impact
• Business logic flaws causing financial or data risk

🟡 Medium — $50–$150

Examples:
• Reflected XSS with demonstrated impact
• CSRF on sensitive actions
• Limited-scope data exposure

🟢 Low — $10–$50

Examples:
• Minor information disclosure
• Low-impact misconfigurations
• Edge-case validation issues

🔵 Informational — No bounty

Examples:
• Best-practice suggestions
• Theoretical or non-exploitable findings
• Missing headers without demonstrated impact

⸻

Payment Terms & Compliance (Non-Negotiable)
• All bounties are paid exclusively via Deel.com
• Net 30 payment terms from the date the issue is validated and accepted
• Identity verification and tax compliance via Deel are required

We do not pay via:
• Cryptocurrency
• PayPal, Wise, Venmo
• Direct bank transfer
• Gift cards

Failure or refusal to complete Deel onboarding voids the bounty.

⸻

Legal Safe Harbor

If you:
• Follow this policy
• Act in good faith
• Avoid privacy violations and service disruption

We will not pursue legal action related to your research.

Safe harbor does not apply to:
• Data theft
• Extortion or ransom demands
• Service disruption
• Public disclosure without explicit authorization

⸻

Program Discretion

We reserve the right to:
• Determine severity, eligibility, and payout amount
• Reject any submission at our sole discretion
• Decline reports that create legal, operational, or reputational risk
• Modify or terminate this program at any time without notice

⸻

Submission Process

Send reports to: [email protected] 

Subject:
Bug Bounty Submission – [Concise Title]