We Take Security Seriously
This page provides information about our security practices and contacting our team if you have questions or security reports.
Audits, Background Checks & Training
We perform regular security audits at every level of our organization from employees to our servers. We also review all changes to our source code for security issues.
We run complete background checks on all employees and contractors. This process is repeated each year.
All of our employees and contractors go through security training each year. We currently use ESET's security awareness training as part of this process.
SOC 2 Type 2
We are in the process of obtaining our SOC 2 Type 2 compliance. This process takes time, but we are happy to share our Gap Analysis and a certification from the CPA firm that is running our audit to paying customers with a signed NDA in place.
We are happy to sign BAA for companies that wish to leverage FusionAuth Cloud and need to comply with healthcare industry regulations.
FusionAuth can be deployed on any server, anywhere in the world. This makes it simple for companies to ensure FusionAuth complies with GDPR.
FusionAuth Cloud also allows companies to select the location for their FusionAuth Cloud deployment. This makes data localization simple.
We are also happy to sign a Data Processing Addendum with paying customers. See our license FAQ for more information.
We are developers, we love developers, and we appreciate what you do.
To ensure that our lawyers also appreciate what you do, please be sure to follow our responsible disclosure guidelines.
Responsible Disclosure Program
If you have discovered or believe you have discovered a potential security vulnerability, we encourage you to disclose it in accordance with this responsible disclosure program.
We will work with you to validate and respond to security vulnerabilities that you report to us. Because public disclosure of a security vulnerability could put the entire FusionAuth community at risk, we require that you keep such potential vulnerabilities confidential until we are able to address them. We will not take legal action against you or suspend or terminate your access to any FusionAuth services, provided that you discover and report security vulnerabilities in accordance with this Responsible Disclosure Program. FusionAuth reserves all of its legal rights in the event of any noncompliance.
Discovering Security Vulnerabilities
Please read this carefully to ensure you understand both the allowed disallowed methods for discovery. FusionAuth reserves all of its legal rights in the event of any noncompliance.
We encourage responsible security research on the FusionAuth website - fusionauth.io, and all sub-domains, FusionAuth Cloud services, and other FusionAuth web services and standalone software libraries. We allow you to conduct vulnerability research and testing on the FusionAuth Cloud services to which you have authorized access. Authorized access includes FusionAuth Cloud services that you have purchased, FusionAuth Cloud account management for your account, or company owned account.
In no event shall your research and testing involve:
- Accessing, or attempting to access, accounts or data that does not belong to you or your Authorized Users,
- Any attempt to modify or destroy any data,
- Executing, or attempting to execute, a denial of service attack, whether intentional or unintentional,
- Sending, or attempting to send, unsolicited or unauthorized email, spam or other forms of unsolicited messages,
- Testing third party websites, applications or services that integrate with the FusionAuth Services, Cloud or self-hosted,
- Posting, transmitting, uploading, linking to, sending or storing malware, viruses or similar harmful software, or otherwise attempting to interrupt or degrade FusionAuth Cloud services or other FusionAuth web services including the FusionAuth website, and
- Any activity that violates any applicable law.
In the event that you do not have adequate clarity on the method of your discovery, please inquire before proceeding to ensure compliance.
Reporting a vulnerability
We encourage anyone that believes they have found a security vulnerability in our website, FusionAuth Cloud, FusionAuth, or other FusionAuth web services, to responsibly disclose the issue.
If you can get FusionAuth to do something it isn't supposed to do that causes it to lose data integrity, availability, leak information, or provide unauthorized access to APIs or data - you found a vulnerability and we want to know about it - right now! 🧐
We want to reward you for your efforts in helping us continue to enhance product security. We do this by paying out bounties for security vulnerabilities to the first person to complete a verifiable disclosure. Please review and follow these simple rules before you submit your disclosure.
Please do these things, it will serve us both.
- Read and carefully review the Discovering Security Vulnerabilities section above.
- Submit your disclosure to firstname.lastname@example.org.
- Include a clear description of the vulnerability, how it works and the impact of the exploit.
- Include a working example, or extensive documentation. Screenshots, or videos may provide supporting evidence, but are not adequate by themselves. The more details the better.
- Provide proof that the reported vulnerability can be exploited.
- Verify your claims are correct and valid, each claim should be supported by the documented recreate steps.
Please don't do any of these things, it won't help either of us.
- Demand status updates on existing submissions. We will do our best to be timely.
- Ask for ransom, or any suggested bounty. Don't be that guy.
- Send a link to a best practice unless you can demonstrate workable exploit that would be solved by linked content.
- Describe a theoretical vulnerability, we deal mostly in the real world.
- Disclose a vulnerability found in a 3rd party tools or product. If you have identified a vulnerability in a 3rd party product that we are using, please disclose this to the product owner first. We would still appreciate you letting us know, but we cannot offer you a bounty in this scenario.
It may take us from 1-2 weeks to review the report and verify the vulnerability. If your report not does not meet the submission guidelines, or does not adequately prove a vulnerability the report will be rejected.
In most cases, when a report is rejected, the FusionAuth security team will respond to ask for additional clarification or evidence. However, if it is clear that the reporter has not invested any reasonable amount of time to follow the submission guidelines, no response will be offered. We value your time and effort, we ask that you do the same for us.
Once we determine a report has identified a real vulnerability you can expect that we will let you know we have accepted your report. If we are able to offer you a bounty, we will communicate the amount, and ask you for preferred payments. Please note that we do not guarantee we can use your preferred method, but we will do our best.
If we can improve this submission guide, provide additional clarification, examples etc., please submit a GitHub pull request.