Vulnerability Disclosure Programme

Last updated: July 11, 2025

1. Our Commitment to Security

FireWatcher is committed to maintaining the highest standards of security. We welcome and encourage security researchers and the broader community to help us identify and address potential vulnerabilities in our systems and services.

2. Scope

This programme covers vulnerabilities in:

  • FireWatcher web application (*.firewatcher.ai)
  • API endpoints and services
  • Authentication and authorization systems
  • Data processing and storage systems
  • Third-party integrations managed by FireWatcher

3. Reporting Guidelines

Important

Reports must demonstrate a credible security breach with actual exploitability. Mere missing of security best practices without demonstrable impact will not be entertained.

When reporting a vulnerability, please include:

  • A detailed description of the vulnerability
  • Steps to reproduce the issue
  • Proof of concept (if applicable)
  • Potential impact assessment
  • Suggested remediation steps (if known)
  • Your contact information for follow-up

4. Response Timeline

Initial Response

Within 24 hours of receiving your report

Status Updates

Every 72 hours until resolution

Our target resolution times:

  • Critical vulnerabilities: 72 hours
  • High severity: 7 days
  • Medium severity: 30 days
  • Low severity: 90 days

5. Responsible Disclosure

We ask that you:

  • Allow us reasonable time to investigate and address the issue before disclosure
  • Avoid accessing, modifying, or deleting data belonging to others
  • Do not perform actions that could harm our service or users
  • Keep vulnerability details confidential until we’ve had a chance to address them
  • Do not use social engineering, phishing, or physical attacks against our employees

6. Safe Harbor

Legal Protection

FireWatcher will not pursue legal action against security researchers who:

  • Follow this vulnerability disclosure programme
  • Act in good faith
  • Do not violate privacy or destroy data
  • Report vulnerabilities promptly

7. Out of Scope

The following are not considered vulnerabilities:

  • Denial of service attacks
  • Social engineering attacks
  • Physical attacks on our facilities or employees
  • Vulnerabilities in third-party services not directly controlled by FireWatcher
  • Issues requiring physical access to user devices
  • Vulnerabilities that require user interaction beyond normal usage

8. Rewards

FireWatcher provides monetary rewards for valid vulnerability reports based on the CVSS score and our internal security assessment. Reward amounts are determined by the severity and impact of the vulnerability discovered.

Reward tiers are based on:

  • CVSS base score of the vulnerability
  • Business impact assessment
  • Exploitability and attack complexity
  • Quality of the vulnerability report

9. Contact Information

Security Team

Email: security@firewatcher.ai

PGP Key: Available upon request

10. Programme Updates

We may update this vulnerability disclosure programme from time to time. Changes will be posted on this page with an updated revision date. We encourage you to review this page periodically for any updates.

Emergency Contact

For critical security issues that require immediate attention, please contact our security team directly at security@firewatcher.ai with “URGENT SECURITY ISSUE” in the subject line.