
Help us keep Foqal secure
We value the security research community and welcome reports of potential vulnerabilities. If you believe you've found a security issue, we want to hear from you.
Security Hall of Fame
We deeply value and appreciate security researchers who help keep Foqal safe. Report a vulnerability and join these outstanding contributors.
How to Participate
Follow these steps to report a security vulnerability
Identify the Vulnerability
Ensure that the issue falls within the scope of our program. We're interested in vulnerabilities that affect the security of Foqal.io and its users.
Create a Detailed Report
Your report should include a description of the vulnerability, steps to reproduce the issue, the potential impact, and your suggested remediation if any.
Submit the Report
Send your detailed findings to our dedicated security email. If your report contains sensitive data, please do not include it initially - wait for our response with a secure upload channel.
Review and Confirmation
Our security team will review your submission within 3 business days and may reach out for additional information or clarification.
Program Scope
Understanding what vulnerabilities we're looking for
Note: Only Foqal products and services are in scope. Third-party products we use (such as our idea tracking site, ticketing system, or other external services) are not covered by this program.
In Scope
- Authentication and authorization flaws
- Cross-site scripting (XSS)
- Cross-site request forgery (CSRF)
- SQL injection and other injection attacks
- Server-side request forgery (SSRF)
- Information disclosure vulnerabilities
- Business logic flaws
- Privilege escalation
Out of Scope
- -Third-party products and services (e.g., our idea tracking site, ticketing system, etc.)
- -Social engineering attacks
- -Physical security attacks
- -Denial of service (DoS/DDoS) attacks
- -Spam or phishing
- -Vulnerabilities in third-party applications or integrations
- -Issues that require physical access
- -Self-XSS or issues requiring unlikely user interaction
- -Missing security headers without demonstrated impact
Guidelines for Submission
Please follow these guidelines when conducting security research
Good Faith
Engage in responsible behavior that avoids data theft, degradation of services, or unauthorized access to systems or data.
Non-Disruptive Testing
Do not compromise the experience of Foqal.io users. Avoid tests that may lead to service disruption, data loss, or denial of service.
Non-Disclosure
Do not publicly disclose vulnerabilities before we have had the opportunity to investigate and mitigate them. We aim to resolve issues within 90 days.
Responsible Timeline
Allow reasonable time for us to address the vulnerability before any disclosure. We'll keep you informed of our progress throughout the process.
Recognition & Rewards
We appreciate the efforts of security researchers who help us identify and address vulnerabilities. While we don't currently offer monetary rewards, we believe in recognizing valuable contributions.
Acknowledgment
Researchers who submit valid vulnerabilities will be recognized in our Security Hall of Fame (with your permission).
Exclusive Swag
Selected submissions may receive exclusive Foqal merchandise as a token of our appreciation.
Legal Safe Harbor
Foqal pledges not to initiate legal action against researchers who adhere to our Vulnerability Disclosure Program guidelines while identifying and reporting potential vulnerabilities.
Your good faith effort to protect our users and platform is appreciated and respected. We commit to working with you to understand and resolve issues quickly.
Contact: security@foqal.io
For encrypted communications, request our PGP key.
Our Response Timeline
What to expect after you submit a vulnerability report
Initial acknowledgment of your report
Preliminary assessment and triage
Target resolution for confirmed issues

Ready to report a vulnerability?
We appreciate your help in keeping Foqal secure. Send your findings to our security team and we'll work with you to address any issues.