Responsible Disclosure Program

Policy

Fast is serious about protecting security and privacy. If you are a security researcher and you think you've found a vulnerability with Fast products and services, we encourage you to report it to us in accordance with this Responsible Disclosure Policy. 

Coverage

The following subdomains are eligible for vulnerability testing of Fast Checkout, Login, and Order:

Terms and Conditions

 To help us analyze the potential vulnerability, please provide, at minimum, proof-of-concept code or instructions to demonstrate your exploit. Your participation in our program is voluntary and subject to the following terms and conditions: 

  • By making a submission, you grant Fast and its affiliates a perpetual, irrevocable, worldwide, royalty-free license to use, copy, adapt, develop, create derivative work from, or share your submission for any purpose, and waive all legal claims arising out of your submission.
  • You may not make extortionate threats or demands in connection with any vulnerability. 
  • Your testing and submission may not violate any export control or other applicable laws or regulations. 
  • While you must show that you can exploit a vulnerability, you should not exploit said vulnerability or otherwise access, modify, copy, download, delete, compromise or otherwise misuse others’ data; access non-public information without authorization; or degrade, interrupt or deny services to our users.
  • You may not initiate or participate in any denial of service attacks or any attacks that may degrade the performance of our website or services and interrupt or deny services to our users
  • You may not upload, submit, store, post, or send malicious data or software as part of identifying or testing a vulnerability.
  • You may not publicly disclose your findings or the contents of your submission to any third parties absent Fast’s prior written approval.
  • Only the first responsibly-disclosed submission of a vulnerability instance will be marked as valid, and all subsequent reports will not be eligible for our program.
  • You must be 18 years of age or older, and you will be responsible for any applicable taxes related to any bounty payment you receive.
  • By reporting a bug, you agree to allow Bugcrowd to share with Fast the personal information that you provide relating to your tax forms, so Fast can perform compliance checks.
  • Whether to provide a payment for the disclosure of a bug and the amount of the payment is entirely at Fast’s discretion. 
  • You may not engage in any activity that results in sending spam emails, messages, phishing, or any unsolicited communications..
  • We may cancel or modify this policy at any time.


Non-Qualifying Vulnerabilities

Fast does not consider the following list to be eligible vulnerabilities: 

  • DoS vulnerabilities that are perceived by a lack of rate-limiting or captcha. 
  • Spam reports
  • Self Cross Site Scripting (XSS) (user defined payload)
  • Social engineering of Fast personnel
  • Best practice claims without a valid exploit. 
  • Phishing Attempts
  • Informational disclosure of non-sensitive data
  • Third party systems not directly under Fast’s contro