Responsible Disclosure

As a security-focused company ourselves, we take security issues very seriously at Fuzzbuzz. If you believe you've found a security vulnerability in Fuzzbuzz we would like to work with you to investigate the issue. We ask that you do not initially disclose your findings publicly, and allow for a reasonable timeframe for us to address your report.

After you have ensured that the vulnerability is in-scope, please send us an email at [email protected]. If you believe your report contains sensitive information, consider encrypting valid parts of the email with our GPG Key.

Reporting a vulnerability


  • Include clear written instructions for reproducing the vulnerability in your email to [email protected]
  • When reporting vulnerabilities you must keep all information within the email thread. Do not post information to video-sharing or pastebin sites. Images can be sent directly via email.
  • For vulnerabilities involving personally identifiable information, please explain the kind of PII you believe is exposed and limit the amount of PII data included in your submissions. For textual information and screenshots, please only include redacted data in your submission.
  • Do not publicly disclose your submission until Fuzzbuzz has evaluated the impact.

Scope


Fuzzbuzz runs a number of services but only submissions under the following domains are eligible for rewards. Any other Fuzzbuzz-owned domains not listed below are not in-scope.
  • fuzzbuzz.io
  • beta.fuzzbuzz.io
  • app.fuzzbuzz.io
We welcome any reports of serious security concerns with regards to in-scope domains, however the following types of reports are not in scope:
  • Reports from automated tools or scans
  • Issues without clearly identified security impact (such as clickjacking on a static website), missing security headers, or descriptive error messages
  • Missing best practices, information disclosures, use of a known-vulnerable libraries or descriptive / verbose / unique error pages (without substantive information indicating exploitability)
  • Speculative reports about theoretical damage without concrete evidence or some substantive information indicating exploitability
  • Forms missing CSRF tokens without evidence of the actual CSRF vulnerability
  • Missing security-related HTTP headers which do not lead directly to a vulnerability

Public GPG Key


  • Fuzzbuzz Security <[email protected]>
  • ID: 0x16D6A2663C3F04F6
  • Fingerprint: 7B60 130D 8F64 E301 84BF 59D0 16D6 A266 3C3F 04F6
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBF+0ihUBEACi1PWSbIY8ButSlahfaTmjkW9VoPAdbmEaj2Wp6UQvkXR604qw
uQUwIyBseRiDh+XGZW3yNJKAvaGyTMzZvaIkS3TU9DfpjaSn5sL0GvY978foVB2H
7+b2ghaB992x+9iQWF0ikPgGgMYzwToGXuhVsJdLUeav0BFsriYfRM4yLsVjmjjo
4P1fsDS0xgD5hMNMTM3H/l4S6UdTm0vBahmZK9Z69HwwOilfvEabwiS7cbi9XJhJ
00wQlAciA9sO8h6UnzXqe0+34Y9P2HqOV4DejE35P6AZUqqJPDjydWZvrHQt4Qx4
9SkHQjsoT3mUTz3Xm/nXQsElSl1V1NJ6Hfjwv50KfACmtirWBdUMRxr7ImM1j8RC
ahM5NMwLz6czlgg1zZaVrF58Ewbz3k0xqEqi1zCL8z8VtV/+FTPlGsczdMNq8eJs
ZMU0hsjj8AzuuJCGDTlvOkbUPYMN6/c40mkpzw4ZW9Pooe2DW/NTiEK/r1i/cIGC
WFKbQv+QEAHl87Ws3AHM/0GNP3LEhNc2Ziu5bLBmW2xgcXXjzRtvUX/pj7E63NYZ
oOREPc8GBScygtqHjhaL5jTGaadNZlX6yA2GM6kIOSZJVDk1U1TUJgnl5JZnhQ2S
HulMXMPASUeXKYLYRz6MQqNevYralUgPk1ozupPhqJZ/sHxzD01gwGPDiQARAQAB
tChGdXp6YnV6eiBTZWN1cml0eSA8c2VjdXJpdHlAZnV6emJ1enouaW8+iQJMBBMB
CgA2FiEEe2ATDY9k4wGEv1nQFtaiZjw/BPYFAl+0ihUCGy8ECwkIBwQVCgkIBRYC
AwEAAh4BAheAAAoJEBbWomY8PwT22IYQAKDKupSP5AuL5bCPRmh6xDy787tWOL8a
Fj4ZLlkJRTxB9cXWK9WbIgJ0ialG+HzS7DnbIrQjSJTF8ZLtsGl7CfIuNXKqqhpo
XtZfbtiQWjX8+p1g6oKFtdj/p5zkSK3OiaeGjosqCogn2YGxd4/QtPRjgOkM/APz
FpW07cpnOWf6Jz/cd5AxXMUumABw5mmvy4Rb137Hx5qBJdhrufNK+/X7LinlzRjr
W7Rnl6sGzftIbVxfBuO5XfwiRhljNZLCgenFnYLUcksXe2P4wOuZPX++T/UfAGe6
S1HNULO+WAZMdeb5Cn3lHrEhh8OBV2D+YNU90AeOYFJuXZyZgaLsH0QKP/HOZbpm
lvRbzM8CIlwDNI+1wFjorxgRTgU1L/ghNHaeoY8ZfksoKrjeM9CU4bYtEkbCruug
LJ5kBbKHJhisqIWKolhTC4oIxOue2eN/Xy2xNZRgC73oykWv2WQqpq2CRPuw7o0U
kfOwAEJLvt9g0uzGt9F5/+4cs9FUEV3G7kWWChewRD6BDziOr53Pu8Zfkn7ThAF7
Xf0zwoNT8jRtTWwWHWSOY5XGDxKabYnQLoEmg+kkqLYeKlmBYH3ZreBfd31OGIiV
j4EWoRYAFe7C+j4kVJSLGrf196tTYjhdePb2tP9WfdanwNNuh2BBHad5RF3iQzWT
bOdvI8J9h0cV
=Og8R
-----END PGP PUBLIC KEY BLOCK-----