fullcast.io runs a bug bounty program to reward researchers for their findings. If you believe you have discovered a vulnerability in the fullcast.io service, system or web-facing property, please submit a vulnerability report via firstname.lastname@example.org. Please do not publicly disclose these details without contacting Fullcast first, and without expressed prior written agreement from Fullcast.
As a security conscious company, keeping our customers safe is Fullcast's primary concern. Fullcast uses a Secure Development Lifecycle process to integrate security into its products from design, through development and release. However, sometimes vulnerabilities escape detection, or new exploits are released after the product is already on the market. At fullcast we investigate all received vulnerability reports and implement the best course of action in order to protect our customers.
Fullcast supports responsible disclosure, and we take responsibility for disclosing product vulnerabilities to our customers. To encourage responsible disclosure, we ask that all researchers comply with the following Responsible Disclosure Guidelines:
Fullcast advises its customers that those who exploit security systems often do so by reverse engineering published security updates, and therefore encourages its customers to patch timely.
Responsible Disclosure Program Guidelines
Researchers shall disclose potential vulnerabilities in accordance with the following guidelines:
By responsibly submitting your findings to fullcast in accordance with these guidelines Fullcast agrees not to pursue legal action against you. fullcast reserves all legal rights in the event of noncompliance with these guidelines.
Once a report is submitted, fullcast commits to provide prompt acknowledgement of receipt of all reports (within two business days of submission) and will keep you reasonably informed of the status of any validated vulnerability that you report through this program.
The following environments are out of scope:
When reporting a potential vulnerability, please include a detailed summary of the vulnerability, including the target, steps, tools, and artifacts used during discovery (screen captures welcome).
What is a “qualifying vulnerability”?
Web application vulnerabilities such as XSS, XXE, CSRF, SQLi, Local or Remote File Inclusion, authentication issues, remote code execution, and authorization issues, privilege escalation and clickjacking. The vulnerability must not be in one of the services named in the “out of scope” section above. You must be the first researcher to responsibly disclose the vulnerability and you must follow the responsible disclosure guidelines set out in this Policy, which include giving us a reasonable amount of time to address the vulnerability. We will confirm the reasonable amount of time with you following the disclosure of the vulnerability.
What is not a “qualifying vulnerability”?
Although each submission will be evaluated on a case-by-case basis, here is a list of some of the issues which don’t qualify as security vulnerabilities:
The fullcast senior management team has overall responsibility for this policy, and for reviewing the effectiveness of actions taken in response to concerns raised under this policy. Various officers of fullcast have day-to-day operational responsibility for this policy, and must ensure that all managers and other staff who may deal with concerns or investigations under this policy receive regular and appropriate training. Fullcast’s Chief Technology Officer and General Counsel reviews our Vulnerability Disclosure policy from a legal and operational perspective on a yearly basis.
See how Fullcast can help you effortlessly manage your sales operations and strategy planning.