Fuze endeavours to create safe and resilient infrastructure. To that end, we invite all security researchers to test Fuze's public infrastructure for vulnerabilities or exploitation techniques. Please write to security@fuze.finance in case you find a vulnerability that merits our attention.We offer bug bounties of up to $1000 - depending on the severity and scale of the vulnerability. The exact criteria of the bounty will be communicated to you via email.
Guidelines
- Responsible Disclosure: We request that security researchers follow responsible disclosure practices and refrain from publicizing any details of the vulnerability until we have had sufficient time to address the issue.
- Legal and Ethical Behavior: Engage in testing and reporting activities that adhere to all relevant laws and regulations. Do not engage in any malicious actions, unauthorized access, or activities that may harm our systems or users.
- “Personal Data or Personal Information” means data that allows someone to identify you, including but not limited to your full name, email address, physical address, personal identification number, location data, financial data etc.
- “Processing of Data” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction, and “Processed”, “Processes” and “Process” shall be construed accordingly
Exclusions
The following activities are not eligible for the bug bounty program:
- Social engineering attacks
- Physical attacks against our facilities or data centers
- Denial of service attacks
- Vulnerabilities that are not reproducible
Resolution Timeline:
Our team is committed to acknowledging receipt of your report within 48 hours and providing regular updates on the status of the investigation. We strive to resolve critical vulnerabilities within 15 days and other vulnerabilities within a reasonable timeframe based on complexity.
