We Take Security Seriously
This page provides information about our security practices and contacting our team if you have questions or security reports.
We welcome anyone that believes they have found a security issue in our websites, web applications, or the FusionAuth product itself, to submit them to us.
We regularly pay bug bounties for the first valid and verifiable submission for a specific problem. Please follow these rules if you wish to submit a security report:
- Email a complete description of the issue to email@example.com
- Include a working example or extensive documentation of a working example (screenshots, videos, scripts, code, etc). For example, sending us a screenshot of a report from a testing tool is not a valid report. You must prove that something in the report can be used against a running production system.
- Include definitive proof that an real-world exploit or vulnerability exists. We don't accept theoretical reports. For example, reporting that an HTTP header is missing is not a valid report. You must prove that the lack of the HTTP header can be used to gain access or exploit a running production system.
- Ensure that every statement you have made is correct and valid. If you make misleading or incorrect statements, your report will be rejected. For example, claiming that an API key has been leaked without proof that it can be used on a production system is not a valid report.
- Ensure that you are not submitting reports on test data or example data. We don't accept reports without production vulnerabilities.
- Ensure that you are submitting reports for FusionAuth applications and products. We don't accept requests for third-party tools and you should report directly to the maker of those tools.
- Do not include a ransom or any suggested bounty amount. These are ignored and sometime peeve off the person reviewing the report.
- Do not demand pre-payment.
- Do not include a timeline.
- Do not demand updates. We will always reply to valid submissions in a timely manner.
- We require a minimum of 1-2 weeks to review the report and make a determination.
- We require a minimum of 1-2 weeks to make any bug bounty payments.
Audits, Background Checks & Training
We perform regular security audits at every level of our organization from employees to our servers. We also review all changes to our source code for security issues.
We run complete background checks on all employees and contractors. This process is repeated each year.
All of our employees and contractors go through security training each year. We currently use ESET's security awareness training as part of this process.
SOC 2 Type 2
We are in the process of obtaining our SOC 2 Type 2 compliance. This process takes time, but we are happy to share our Gap Analysis and a certification from the CPA firm that is running our audit to paying customers with a signed NDA in place.
We are happy to sign BAA for companies that wish to leverage FusionAuth Cloud and need to comply with healthcare industry regulations.
FusionAuth can be deployed on any server, anywhere in the world. This makes it simple for companies to ensure FusionAuth complies with GDPR.
FusionAuth Cloud also allows companies to select the location for their FusionAuth Cloud deployment. This makes data localization simple.
We are also happy to sign a Data Processing Addendum with paying customers. See our license FAQ for more information.