We value the security community’s role in protecting our customers and services. If you believe you’ve found a security vulnerability, please let us know so we can address it promptly.
Scope
This policy applies to:
- All FairPlay-owned or operated systems, applications, and infrastructure (including websites, APIs, mobile apps, and cloud environments) that store, process, or transmit customer data.
- Any systems that could reasonably be used to gain unauthorized access to such data.
Out of Scope:
- Third-party services, systems, or networks
- Customer or partner systems
- Social engineering (phishing, vishing, etc.)
- Physical security testing
- Denial-of-service attacks
- Non-security issues (e.g., bugs without security impact)
Reporting
Please send reports to security-disclosure@fairplay.ai. Include:
- A clear description of the vulnerability
- Steps to reproduce
- Any relevant technical details (e.g., screenshots, logs, proof-of-concept code)
- Impact assessment if possible
Rules of Engagement
- Test only in-scope systems
- Avoid actions that could degrade, damage, or destroy data or services
- Do not access more data than necessary to demonstrate the issue
- Cease testing immediately if customer data is encountered and include this in your report
- We urge researchers to exercise prudence and refrain from public disclosure or exploitation of potential vulnerabilities.
- Comply with all applicable laws
What to Expect
- You will receive an automated acknowledgment upon report receipt
- Valid, in-scope reports will be investigated and addressed under our Incident Response Policy
- We may contact you if additional information is required
- Handling and timelines follow our Incident Response Policy
Legal Notice
We handle all valid reports in accordance with our internal policies and applicable laws. By submitting a vulnerability report, you agree not to disclose the vulnerability publicly without our prior written consent.