Friendium Bug Bounty & Vulnerability Disclosure Policy

This Bug Bounty & Vulnerability Disclosure Policy defines how Friendium receives, evaluates, and responds to security vulnerability reports. It establishes responsible disclosure expectations, researcher protections, and enforcement boundaries to safeguard users, infrastructure, and Nexa-Group.

1. Purpose & Security Philosophy

Friendium recognizes the importance of independent security research in identifying vulnerabilities before they can be exploited. This policy provides a structured and lawful pathway for reporting security issues while protecting both users and researchers.

2. Scope of Disclosure

This policy applies to vulnerabilities affecting Friendium-operated domains, applications, APIs, infrastructure, and services owned or controlled by Nexa-Group.

  • friendium.com and official subdomains
  • Official mobile and web applications
  • Authentication, session, and identity systems
  • APIs, backend services, and supporting infrastructure

3. Eligible Vulnerability Categories

Reportable vulnerabilities include, but are not limited to:

  • Authentication or authorization bypass
  • Account takeover vectors
  • Data exposure or leakage risks
  • Privilege escalation flaws
  • Remote code execution
  • Cross-site scripting (XSS)
  • Cross-site request forgery (CSRF)
  • Infrastructure misconfiguration

4. Excluded Findings

The following are generally excluded from bounty eligibility, though they may still be acknowledged:

  • Issues requiring physical access to user devices
  • Denial-of-service testing without authorization
  • Social engineering of users or employees
  • Spam, brute-force, or credential-stuffing attacks
  • Outdated browser or OS-specific issues
  • Theoretical vulnerabilities without proof of impact

5. Responsible Disclosure Requirements

Researchers must adhere to responsible disclosure principles:

  • Do not exploit vulnerabilities beyond proof-of-concept
  • Do not access or modify user data
  • Do not disrupt services or degrade availability
  • Allow Friendium reasonable time to remediate
  • Do not publicly disclose without written authorization

6. Safe Harbor for Good-Faith Research

Friendium commits to not pursuing legal action against researchers who comply with this policy, act in good faith, and avoid harm to users or systems.

This safe harbor does not apply to malicious activity, data misuse, extortion, or violations of applicable law.

7. Reporting Process

Vulnerabilities must be reported with sufficient detail to enable reproduction and assessment.

  • Clear description of the issue
  • Steps to reproduce
  • Affected systems or endpoints
  • Potential impact assessment
  • Proof-of-concept (if applicable)

8. Submission Channels

Security reports should be submitted via:

  • Email: security@friendium.com
  • Subject line: “Security Vulnerability Disclosure”

9. Acknowledgment & Triage

Friendium aims to acknowledge reports within a reasonable timeframe. Reports are triaged based on severity, exploitability, and potential impact.

10. Remediation & Resolution

Confirmed vulnerabilities are prioritized for remediation according to internal risk classification frameworks. Fix timelines may vary based on complexity and systemic risk.

11. Bug Bounty Rewards

Where applicable, Friendium may offer discretionary rewards for qualifying reports. Reward amounts depend on:

  • Severity and impact
  • Originality of discovery
  • Quality of report
  • Adherence to responsible disclosure

All rewards are discretionary and subject to eligibility review.

12. Confidentiality & Attribution

Researchers must keep vulnerability details confidential until remediation is complete. Public attribution may be granted with mutual consent.

13. Abuse & Disqualification

Friendium reserves the right to disqualify reports involving:

  • Unauthorized data access
  • Extortion or ransom demands
  • Violation of user privacy
  • Intentional service disruption

14. Legal & Regulatory Alignment

Vulnerability handling aligns with global security standards, privacy regulations, and Nexa-Group compliance obligations.

15. Policy Updates

This policy may be updated as security practices evolve. Continued research activity constitutes acceptance of the current policy version.

16. Contact

Security Team: security@friendium.com
Legal Inquiries: legal@friendium.com

這篇文章有幫助嗎? 0 用戶發現這個有用 (0 投票)

熱門文章

Security Practices Disclosure

Friendium Security Practices Disclosure This Security Practices Disclosure explains...
Account Takeover Prevention Policy

Friendium Account Takeover Prevention Policy This Account Takeover Prevention Policy...
Rate Limiting & Abuse Prevention Policy

Friendium Rate Limiting & Abuse Prevention Policy This Rate Limiting & Abuse...
Incident Response & Breach Notification Policy

Friendium Incident Response & Breach Notification Policy This Incident Response...
Infrastructure Resilience & Uptime Policy

Friendium Infrastructure Resilience & Uptime Policy This Infrastructure...