Frequently asked questions
Q: What if I found a vulnerability, but I don’t know how to exploit it?
A: We expect that vulnerability reports sent to us have a valid attack scenario to qualify for a bounty, and we consider it as a critical step when doing vulnerability research. Bounties are decided based on the maximum impact of the vulnerability.
Q: How do I demonstrate the severity of the vulnerability if I’m not supposed to snoop around?
A: Please submit your report as soon as you have discovered a potential security issue. The panel will consider the maximum impact and will choose the reward accordingly. We may give bounties for otherwise well-written and useful submissions where the reporter didn’t notice or couldn’t fully analyze the impact of a particular flaw.
Q: Who determines whether my report is eligible for a bounty?
A: The bounty reward panel consists of the members of the foundation steering committee and the foundation board.
Q: What happens if I disclose the vulnerability publicly before you had a chance to fix it?
A: Our pledge to you is to respond promptly and fix bugs in a sensible timeframe - and in exchange, we ask for a reasonable advance notice. Reports that go against this principle will usually not qualify, but we will evaluate them on a case-by-case basis.
Q: My report has not been resolved within the first week of submission. Why hasn’t it been resolved yet?
A: Reports that deal with potential abuse-related vulnerabilities may take longer to assess, because reviewing our current defense mechanisms requires investigating how a real life attack would take place and reviewing the impact and likelihood requires studying the type of motivations and incentives of abusers of the submitted attack scenario against FIO.
Q: I wish to report an issue through a vulnerability broker. Will my report still qualify for a reward?
A: We believe that it is against the spirit of the program to privately disclose the flaw to third parties for purposes other than actually fixing the bug. Consequently, such reports will typically not qualify.
Q: What if somebody else also found the same vulnerability?
A: First across the starting line. You will qualify for a bounty only if you were the first person to alert us to a previously unknown flaw.
Q: Can I report a problem privately/anonymously?
A: Sure. While all bug reports should be done privately using industry standard responsible disclosure principles, it is fine if you do not which to be publicly recognized. Just mention this when you submit your report.
This is not a competition, but rather an experimental and discretionary bounty program. You should understand that we can cancel the program at any time and the decision as to whether or not to reward bounties is entirely at the discretion of the Foundation.
Of course, your testing must not violate any law, or disrupt or compromise any data that is not your own.