Back to Security
Vulnerability Disclosure Program

Help us keep Foqal secure

We value the security research community and welcome reports of potential vulnerabilities. If you believe you've found a security issue, we want to hear from you.

Security Hall of Fame

We deeply value and appreciate security researchers who help keep Foqal safe. Report a vulnerability and join these outstanding contributors.

How to Participate

Follow these steps to report a security vulnerability

Identify the Vulnerability

Ensure that the issue falls within the scope of our program. We're interested in vulnerabilities that affect the security of Foqal.io and its users.

Create a Detailed Report

Your report should include a description of the vulnerability, steps to reproduce the issue, the potential impact, and your suggested remediation if any.

Submit the Report

Send your detailed findings to our dedicated security email. If your report contains sensitive data, please do not include it initially - wait for our response with a secure upload channel.

Review and Confirmation

Our security team will review your submission within 3 business days and may reach out for additional information or clarification.

Program Scope

Understanding what vulnerabilities we're looking for

Note: Only Foqal products and services are in scope. Third-party products we use (such as our idea tracking site, ticketing system, or other external services) are not covered by this program.

In Scope

  • Authentication and authorization flaws
  • Cross-site scripting (XSS)
  • Cross-site request forgery (CSRF)
  • SQL injection and other injection attacks
  • Server-side request forgery (SSRF)
  • Information disclosure vulnerabilities
  • Business logic flaws
  • Privilege escalation

Out of Scope

  • -Third-party products and services (e.g., our idea tracking site, ticketing system, etc.)
  • -Social engineering attacks
  • -Physical security attacks
  • -Denial of service (DoS/DDoS) attacks
  • -Spam or phishing
  • -Vulnerabilities in third-party applications or integrations
  • -Issues that require physical access
  • -Self-XSS or issues requiring unlikely user interaction
  • -Missing security headers without demonstrated impact

Guidelines for Submission

Please follow these guidelines when conducting security research

Good Faith

Engage in responsible behavior that avoids data theft, degradation of services, or unauthorized access to systems or data.

Non-Disruptive Testing

Do not compromise the experience of Foqal.io users. Avoid tests that may lead to service disruption, data loss, or denial of service.

Non-Disclosure

Do not publicly disclose vulnerabilities before we have had the opportunity to investigate and mitigate them. We aim to resolve issues within 90 days.

Responsible Timeline

Allow reasonable time for us to address the vulnerability before any disclosure. We'll keep you informed of our progress throughout the process.

Recognition & Rewards

We appreciate the efforts of security researchers who help us identify and address vulnerabilities. While we don't currently offer monetary rewards, we believe in recognizing valuable contributions.

Acknowledgment

Researchers who submit valid vulnerabilities will be recognized in our Security Hall of Fame (with your permission).

Exclusive Swag

Selected submissions may receive exclusive Foqal merchandise as a token of our appreciation.

Legal Safe Harbor

Foqal pledges not to initiate legal action against researchers who adhere to our Vulnerability Disclosure Program guidelines while identifying and reporting potential vulnerabilities.

Your good faith effort to protect our users and platform is appreciated and respected. We commit to working with you to understand and resolve issues quickly.

Contact: security@foqal.io

For encrypted communications, request our PGP key.

Our Response Timeline

What to expect after you submit a vulnerability report

24h

Initial acknowledgment of your report

3 days

Preliminary assessment and triage

90 days

Target resolution for confirmed issues

Ready to report a vulnerability?

We appreciate your help in keeping Foqal secure. Send your findings to our security team and we'll work with you to address any issues.