FoxBound Security Program
FoxBound Security & Disclosure Program
We take security very seriously here at FoxBound and constantly work to build & maintain the trust of our customers & users.
To help protect the data of our customers from cyber-attacks and other threats, we welcome security disclosures from well-intentioned reseraches.
Please Review the Details of the Disclosure Program
- In the event you find a vulnerability within our platform during acceptable use, please review the steps and procedures for notifying FoxBound.
Code of Conduct
The scope of testing is solely the application itself, app.foxbound.io. In regards to the website, foxbound.io or any other partner or third party sites, are out of scope.
- Report vulnerabilities through immediately through form below, to our support team a email@example.com, or to our agents monitoring live support chat.
- Respect customers data and make every effort to protect the integrity and privacy of our data and customer’s data.
- Reach out to FoxBound’s security team at the form below if you have any questions or are unclear about any part of this program.
- Notify FoxBound before any sort of testing takes place.
- Exercise patience with our security team. We’ll work to acknowledge the receipt of your submission as soon as possible. Expect clarifying questions from our security & engineering teams. You’ll receive status updates on the remediation of the vulnerability at least once a week and until resolution.
- Copy, exploit, share, or publicly expose any customer data or PII (personably identifiable information) from your research.
- Leverage research to cause damage to FoxBound or FoxBound users & customers.
- Attempt any kind of testing that involves denial of service through network traffic or resource exhaustion.
- Leverage any vulnerability testing tools that generate significant amounts of traffic.
- Attempt any kind of social attacks (this includes phishing)
- Break or violate any legal or other regulatory guidelines & restrictions for research purposes.
- Publicly disclose security vulnerabilities without notifying the FoxBound team and allowing adequate time for acknowledgement and remediation.
- Customer Data
- Internal Use Only
Customer data is considered ‘Confidential’ and must be protected accordingly, including use of encryption, limited access, and restrictions on movement.
If information is not specifically classified, the default classification is ‘Internal Use Only.’
Publicly available resources such as content on our website, job postings, blogs, etc are ‘Public.’
Data owners are responsible for classifying data, ensuring appropriate access rights are set, and appropriate security controls are in place.
After submitting a vulnerability to the FoxBound team, you can expect a timely response & acknowledgement. We do reserve 36 hours for initial acknowledgement.
Disclosures are automatically escalated to top priority and we’ll work to validate, triage, and asses the implications of the of the security vulnerability. A plan and timeline will for remediation will be shared with you privately if applicable.
After this initial phase, we’ll maintain consistent communication until resolution. You will be asked to verify our fix once complete.
Measurement of Vulnerability
FoxBound leverages the Common Vulnerability Scoring System (CVSS version 3) to measure the severity of the issue and to prioritize our response accordingly.
Note that we reserve sole discretion for judgement of the validity of the vulnerability.
Since our platform integrates with other third-party data providers and processors, we’ll notify the third-party if the impact of vulnerability is found to affect them as well. Your personal identify will not be disclosed and you agree to not contact said third party without FoxBound’s express consent.
FoxBound also reserves the right to accept the risk of the reported vulnerability if it cannot be validated, is considered a negligible risk by our sole discretion, or if the remediation plan creates more risk than the vulnerability in itself.
If you have discovered a vulnerability in a FoxBound application, please don’t share it publicly. Instead, please submit a report to us through a support ticket. We review all security concerns that are submitted and we strive to stay aware of the latest security developments by monitoring the threat landscape and by working with external security researchers and companies.
If you believe your account has been compromised or you are seeing suspicious activity on your account, please report it to your application administrator and firstname.lastname@example.org
If a submission was deemed valid and remediation is necessary, we will ask the researcher to validate our remediation efforts with a retest. Once both FoxBound and the researcher agree the vulnerability has been remediated the researcher is welcome to report their work publicly (barring disclosure of any PII or sensitive information). FoxBound will hold Assignment of Rights such that FoxBound can do whatever it wants with the information, including the development of intellectual property.
Contacting FoxBound with a Disclosure
IMPORTANT: By filling out and submitting the form below, you acknowledge that you’ve read this Security Program and agree to the Program in its entirety.