Vulnerability Disclosure

Firstup, Inc. (together with its affiliated entities, “Firstup”) invites skilled security researchers from across the globe to identify vulnerabilities in our technology. If you believe you’ve found a vulnerability in our product or service, please notify us. We will work to resolve the issue promptly with you. Please review the following program rules before you engage in vulnerability scanning on our products or services. By participating in this program, you agree to be bound by these rules.

Scopes

The following domains and platforms are within the scope of this program:

• Dynamic Signal intelligent communication platform
• Firstup / Social Chorus intelligent communication platform
• Firstup.io

Only severe vulnerabilities that affect our users, services, or infrastructure will be accepted for third-party applications, others will be reported/forwarded to the third-party vendor for the application.

Disclosure Policy

• Let us know as soon as possible upon discovery of a potential security issue
• Provide us a reasonable amount of time to resolve the issue before any disclosure to the public or third-party
• Vulnerabilities that are exposed publicly as a part of putting together a proof of concept (e.g. website defacement, stored XSS on a public site) are not eligible for a bounty
• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service.

Exclusions

You are not eligible to participate in this program, and you will further be in violation of our terms of use if you participate in any of the following activities:

• Denial of service to any services or customers’ services
• Degrading performance or service of services or our customers’ services
• Spamming (even self-spamming)
• Social engineering (including phishing) of any staff or contractors
• Any physical attempts against Firstup or Firstup’s customers’ property or data centers
• Accessing private information of Firstup’s customers

Eligibility

In order to be eligible for a bounty, you must meet the following requirements:

• You must be the first reporter of the vulnerability
• Vulnerability must be associated with a domain or application listed above and not applicable to the above exclusions
• You must not disclose any details relating to the vulnerability or that you have uncovered a vulnerability without our prior written consent
• Vulnerability must have a clearly identified security impact and presented with enough information for investigation and reproduction by Firstup staff
• You must not have compromised the privacy of Firstup’s users or otherwise violated an of the requirements set forth herein 
• When researching security issues, especially those which may compromise the privacy of others, you must use test accounts in order to respect our users’ privacy. Accessing private information of other users, performing actions that may negatively affect Firstup’s users (e.g., spam, denial of service), or sending reports from automated tools without verifying them will immediately disqualify the report, and may result in a claim against you for violating our terms of use
• You must execute an Attestation of Data Deletion before any payment will be issued
• You must comply with Firstup’s Privacy Policy, located here Privacy Policy (firstup.io)

Any vulnerabilities reported with the following criteria are not eligible for a bounty:

• Attacks requiring physical access to a user’s device
• Any physical attacks against Firstup property or data centers
• Bypass of URL malware detection
• Bugs caused by third-party websites
• Only affecting outdated browsers/platforms
• Only affecting the executing user (self-XSS and similar)
• Caused by misbehaving third-party software/website
• Applicable only through social engineering
• Pretense being you already have access to affected account (or user’s browser)
• Vulnerabilities considered by Firstup to be of low severity

Fine Print

All reports are reviewed on a case-by-case basis. Firstup will determine at its own discretion whether a reward should be granted and the amount of the reward. Depending on their impact, not all reported issues qualify for a monetary reward. 

You must comply with all applicable laws in connection with your participation in this program. You are also responsible for any applicable taxes associated with any reward you receive.

We may modify the terms of this program or terminate this program at any time. We won’t apply any changes we make to these program terms retroactively.

To report a vulnerability, please email security@firstup.io and include as much detail as possible so that our team can replicate the issue. 

Thank you for helping keep Firstup and our users safe!