⚠️ This document is a draft for internal review (v3.0.0). It has NOT been reviewed by legal counsel and does NOT constitute legal advice. Consult a qualified attorney before official use.
Security Vulnerability Disclosure Policy
Version v3.0.0 | Effective: May 16, 2026
1. Overview
FIBEMATE is committed to providing secure and reliable communication services. We take security issues seriously and welcome security researchers and users to help us discover and fix potential vulnerabilities.
This policy describes how we handle security vulnerability reports and the rules researchers should follow when testing our services.
2. In-Scope Vulnerabilities
We accept reports for the following types of vulnerabilities:
- Cryptographic implementation flaws (e.g., key leakage, algorithm defects)
- Authentication/authorization bypass
- Cross-site scripting (XSS)
- Cross-site request forgery (CSRF)
- SQL injection or other database vulnerabilities
- Server-side request forgery (SSRF)
- Identity verification bypass
- Sensitive information disclosure
- Privilege escalation
- Remote code execution
3. Out-of-Scope Testing
The following activities are not covered by this policy:
- Testing third-party services
- Social engineering attacks (including against employees or users)
- Physical security testing
- Denial of service (DoS/DDoS) attacks
- Automated mass scanning (please verify vulnerabilities manually)
- Accessing, modifying, or deleting unauthorized data
- Actions that affect service availability for other users
4. How to Report
Security Report Email: support@fibemate.net (Security)
Encrypted Communication: Please use our PGP public key (available on our website) to send encrypted reports
Please include the following in your report:
- Vulnerability type and severity
- Affected components/pages
- Detailed reproduction steps
- Proof-of-concept code (if available)
- Potential impact assessment
- Suggested fix (if available)
5. Severity Classification
We use the following criteria to assess vulnerability severity:
- Critical Mass user data exfiltration, complete system compromise, total encryption failure
- High User data leakage, authentication bypass, privilege escalation
- Medium Partial user information disclosure, limited service impact
- Low Minor issues with limited impact scope
6. Response Timeline
We commit to:
- Critical: Acknowledge within 24 hours, fix or mitigate within 72 hours
- High: Acknowledge within 48 hours, fix within 7 days
- Medium: Acknowledge within 72 hours, fix within 14 days
- Low: Acknowledge within 7 days, fix within 30 days
7. Safe Harbor
For researchers who follow this policy, we commit to:
- Not initiating legal proceedings
- Not reporting your activities to law enforcement
- Not suspending or terminating your account
Conditions: You must comply with all policy terms, report vulnerabilities promptly, not disclose vulnerability details, and not impact other users.
8. Disclosure Guidelines
To ensure user safety, we request researchers to:
- Not publicly disclose vulnerability details before fixes are deployed
- Allow reasonable time for remediation (typically 90 days)
- Coordinate disclosure timing to ensure user safety
- Communicate with us before any public disclosure
9. Recognition
While we do not currently offer cash bounties, for valid vulnerability reports we will:
- Publicly acknowledge you on our security thanks page (optional)
- Provide FIBEMATE premium feature access
- Offer special memorabilia for significant vulnerability discoveries
10. Contact
For any questions about this policy, contact:
- Security Team: support@fibemate.net (Security)
- General Inquiries: support@fibemate.net