Responsible Disclosure Policy

The security of our systems and our users is of paramount importance for FeedbackFruits and we continuously work on improving this aspect of our operations. To that end, we welcome anyone who finds a vulnerability in our platform to disclose it responsibly via the process outlined below. We appreciate that you notify us before informing the public to allow us to first take action.

Rules & restrictions

In the interest of the safety of our users, staff, the Internet at large, and you as a security researcher, the following restrictions apply to any security research performed against FeedbackFruits:

What to do:

  • If you believe you have found a security vulnerability in one of the assets outlined below, please send it to us at security@feedbackfruits.com, including a description of the vulnerability, the location and reproduction steps, along with POC scripts, screenshots and screen captures if you have them.
  • Give enough detail to enable us to reproduce the flaw so that it can be remedied as soon as possible.
  • Leave your contact details so that we can contact you later. At least an email address or telephone number.
  • Report the flaw as soon as possible after discovering it.
  • Do not share any information about the flaw with others until it has been remedied.
  • Deal responsibly with the information in your possession. Do nothing beyond what is necessary to demonstrate the security flaw.

What not to do:

  • Do not brute force credentials or guess credentials to gain access to systems.
  • Do not participate in denial of service attacks.
  • Do not upload shells or create a backdoor of any kind.
  • Do not engage in any form of social engineering (such as (spear)phishing or vishing) of FeedbackFruits employees, customers, or vendors.
  • Do not engage or target any FeedbackFruits employee, customer or vendor during your testing.
  • Do not attempt to extract, download, or otherwise exfiltrate data which you believe may have Personally Identifiable Information (PII) other than your own.
  • Do not change passwords of any account that is not yours or that you do not have explicit permission to change. If you are ever prompted to change a password, stop and report the finding immediately.
  • Do not publicly disclose vulnerability reports that are not resolved and approved for disclosure by FeedbackFruits.
  • Do not attempt physical attacks on the FeedbackFruits office, or that of any customer or vendor.

What to expect

If you comply with these rules and restrictions, we promise to do the following:

  • Reply to your report within 72 hours and subsequently work as fast as we can on addressing the issue
  • Keep you posted on the progress of this fix
  • Not pursue or support any legal action related to your research
  • Gift you some FeedbackFruits swag

Assets in scope

  • FeedbackFruits Main Website
  • feedbackfruits.com
  • FeedbackFruits Web Application
  • eu.feedbackfruits.com
  • us.feedbackfruits.com
  • au.feedbackfruits.com
  • FeedbackFruits API
  • eu-api.feedbackfruits.com
  • us-api.feedbackfruits.com
  • au-api.feedbackfruits.com
  • FeedbackFruits Media Service
  • eu-media.feedbackfruits.com
  • us-media.feedbackfruits.com
  • au-media.feedbackfruits.com
  • FeedbackFruits Account Service
  • eu-accounts.feedbackfruits.com
  • us-accounts.feedbackfruits.com
  • au-accounts.feedbackfruits.com