Responsible disclosure statement

We at figo are committed to providing the most secure service possible. This includes being assessed by well-known and trusted legal entities like external security assessor companies  or respecting banking regulation authorities. figo takes care of professional handling of reported, identified problems and issues.

Guidelines for responsible disclosure

  • When investigating a problem or issue resulting in a vulnerability, please, only ever target your own accounts and data. Never attempt to access anyone else’s data and do not engage in any activity that would be disruptive or damaging figo. Do not violate the privacy of our users and partners.
  • Please use secure channels to report security issues. See details about this below.
  • Keep any information about identified weaknesses and exploitable vulnerabilities confidential between yourself and figo.
  • Provide a valid attack scenario.
  • Please provide sufficient evidence (e. g. short proof of concept).
  • Only proper responsible disclosure will result in attribution and reward. See details about this below.

Attribution and rewards

Identifying problems and issues such as security vulnerabilities is of high value for us and we are therefore committed to providing rewards for reporting such vulnerabilities. However, please note that we are not legally obligated to do so.

Attribution and rewards depend on factors such as

  • Severity – Impact of a vulnerability
  • Time – Whether you are the first person to report this vulnerability
  • Ethics – Whether you complied with our guidelines

The problems and issues in conjunction with the following constraints are not considered for attribution and rewards

  • Any intended attempt to destroy figo live data
  • Any intended attempt of disruption of active figo services
  • Social Engineering Methods (e. g. phishing, spear phishing, baiting)

Scope of the responsible disclosure statement

The figo ‚responsible disclosure statement‘ applies exclusively to services operated internally by figo. This includes all topics related to security which are important or relevant to the operation of the figo API (api.figo.me). Third party software, for example, that which is responsible for www.figo.io and www.figo.io/blog, is not subject to the figo ‚responsible disclosure‘ policy.

What happens after you contacted figo?

  • Our security team will report back to you within two working days with a confirmation of submission.
  • We will start analyses on the reported problem or issue.
  • We will communicate back to you within a certain time frame for further inquiry or confirmation on identification of open problem or issue.

After fixing the vulnerability

  • you may receive an reward.
  • your contribution may be acknowledged in our hall of fame (we will respect your privacy here and ask for everything we publish beforehand).
  • you will be allowed to publish your findings.

How to securely communicate with figo

We urge you to communicate securely with us. If you are unsure how to do so, write us without disclosing any details and we will establish a secure channel first.

  • Please use gpg encrypted mail to communicate with us. Send mails to responsible-disclosure@figo.io by using the public gpg key with the fingerprint 1568 EEDF 37E4 2FD3 CA05  EF5F FFB9 6DDE FD31 68A1.
  • If you wish to remain anonymous, feel free to do so by using a pseudonym. We would encourage you to use an email address that allows us to get back to you.