About this policy
This policy describes how to report a security vulnerability in FrontFoot's products, what we commit to in return, and the scope of systems covered. It is intended for security researchers, penetration testers, and anyone who discovers a potential issue.
If you have found a vulnerability, send a report to [email protected]. We will acknowledge it within 3 business days and keep you informed throughout.
How to report
Send your report to [email protected]. Please include:
- A description of the vulnerability and its potential impact.
- The steps needed to reproduce it, including any relevant URLs, request/response payloads, or proof-of-concept code.
- The system or component affected.
You do not need to encrypt your report, but you may do so using our PGP key if you prefer; available on request at the address above.
What we commit to
If you report a vulnerability in good faith and follow this policy, we commit to:
- Acknowledge your report within 3 business days.
- Keep you informed of our investigation and remediation progress.
- Notify you when the vulnerability is resolved.
- Not pursue legal action against researchers who follow this policy.
- Credit you in our disclosure, if you would like to be named.
We do not currently offer a paid bug bounty. We do recognise good-faith research with public acknowledgement where the researcher wishes it.
Scope
In scope
- The FrontFoot web application at
app.getfrontfoot.ai - The FrontFoot API at
app.getfrontfoot.ai/api - The FrontFoot marketing site at
getfrontfoot.ai - The FrontFoot Gmail add-on and Chrome extension
- The FrontFoot Outlook add-in
- The FrontFoot Zendesk add-on
Out of scope
- Denial-of-service attacks or volumetric testing of any kind.
- Social engineering or phishing of FrontFoot staff.
- Physical attacks against FrontFoot or its infrastructure providers.
- Vulnerabilities in third-party services we depend on (Render, Clerk, Cloudflare, Anthropic, etc.): please report those directly to the relevant vendor.
- Automated scanning without prior coordination. Contact us first.
Rules of engagement
To qualify for safe harbour under this policy, you must:
- Not access, modify, or delete customer data. If you encounter customer data in the course of research, stop and report it to us immediately.
- Not exfiltrate data beyond the minimum necessary to demonstrate the vulnerability.
- Not disclose the vulnerability publicly before we have had a reasonable opportunity to investigate and remediate. We ask for 90 days from your initial report; we will aim to resolve critical and high-severity issues substantially faster.
- Not conduct testing against live customer accounts. Use a test account; contact us and we will provide one.
- Act in good faith throughout.
Safe harbour
FrontFoot will not initiate legal action against researchers who discover and report security vulnerabilities in accordance with this policy. We consider responsible security research to be a valuable contribution and will not treat it as a violation of our terms of service or applicable law.
If at any point you are uncertain whether your testing activity is within the scope of this policy, contact us before proceeding.
Contact
Security reports: [email protected]
General enquiries: [email protected]