Fib.Code
The security of our systems and our clients'' data is our top priority. We value the contributions of security researchers who help us identify and remediate vulnerabilities.
This policy outlines the guidelines for responsible vulnerability disclosure in FIB.CODE Sp. z o.o. systems. We encourage collaboration under the following principles — we guarantee a thorough analysis of every report.
Report a vulnerability
security@fibcode.com
24h
Initial response time
PGP
Encryption available
Below we outline the systems and services covered by our responsible disclosure program, as well as those excluded from testing scope.
Web applications under *.fibcode.com domain
APIs and production service endpoints
Server and infrastructure configuration
Authentication and authorization vulnerabilities
Data leaks and improper access control
Cryptographic vulnerabilities and key management
Social engineering and phishing attacks on employees
Denial of Service attacks (DoS/DDoS)
Vulnerabilities in third-party software
Brute force and user account enumeration
Scanner-only findings without exploitation attempt
Client systems hosted on our infrastructure
Please follow these rules when testing and reporting vulnerabilities. Good-faith collaboration is essential to the security of all parties involved.
Test only to the extent necessary to confirm a vulnerability. Do not modify, delete, or access data that is not yours.
Do not copy, store, or share personal data or confidential information obtained during testing.
Do not perform tests that could disrupt production systems, service availability, or user experience.
Do not publicly disclose vulnerability details before the fix is deployed and you have received our approval for publication.
Conduct research solely to improve security. Do not exploit discovered vulnerabilities for personal or commercial gain.
After discovering a vulnerability, report it as soon as possible to allow us to take corrective action in the shortest possible time.
A transparent, five-step process ensures professional handling of every report — from submission to public recognition.
Send your report to security@fibcode.com. Include a detailed description of the vulnerability, reproduction steps, and potential impact. PGP encryption is available.
Our team will acknowledge receipt within 24 hours. We will analyze and assess the vulnerability severity using CVSS v3.1.
The development team will design and deploy a fix according to the SLA based on severity level. We keep you informed of progress throughout.
After deploying the fix, we publish an internal advisory describing the vulnerability, attack vector, and remediation measures applied.
Once the case is closed, we offer public recognition of the researcher''s contribution — according to their preferences and our recognition program.
Our time commitments are defined by vulnerability severity level, classified according to the CVSS v3.1 standard.
CVSS 9.0 – 10.0
Initial Response
4 hours
Remediation
7 days
Advisory
Immediate
CVSS 7.0 – 8.9
Initial Response
24 hours
Remediation
30 days
Advisory
Post-fix
CVSS 4.0 – 6.9
Initial Response
48 hours
Remediation
60 days
Advisory
Quarterly
CVSS 0.1 – 3.9
Initial Response
5 business days
Remediation
90 days
Advisory
Quarterly
Response times are measured from receipt of a complete report. In justified cases, timelines may be extended in consultation with the researcher.
We guarantee legal protection to security researchers who collaborate with us in good faith and in accordance with this policy.
FIB.CODE Sp. z o.o. commits to not pursuing legal action against security researchers who report vulnerabilities in accordance with this responsible disclosure policy.
We consider security research conducted under this policy as authorized activity. We will not treat such research as unauthorized access to computer systems under applicable law.
In the event that a researcher''s actions are questioned by a third party, we will inform them that the research was conducted under our responsible disclosure program and with our consent.
Good faith conduct
Compliance with program rules
No data breach
We appreciate the contributions of security researchers to improving the security of our systems. We offer several forms of recognition.
With the researcher''s consent, we publish acknowledgment on our website describing their contribution to the security of our systems.
We issue an official certificate confirming responsible vulnerability disclosure and collaboration with our security team.
Upon request, we provide a professional LinkedIn recommendation confirming the researcher''s competence and ethical approach.
Outstanding researchers are offered ongoing collaboration within our security program or consulting projects.
Do you have information about a vulnerability in our systems? Contact us. Every report is treated with the highest priority.
We prefer encrypted communication. Our security team''s PGP key is available upon request or on our website in the security.txt file.
Detailed description of the vulnerability and its type
Reproduction steps (step by step)
Potential impact and attack scenarios
Affected systems, URLs, or endpoints
Screenshots, logs, or proof of concept (PoC)
Suggested remediation measures (if possible)
Responsible Disclosure Policy — last updated: February 2025
This policy is part of the Information Security Management System (ISMS) of FIB.CODE Sp. z o.o. compliant with ISO 27001:2022.