Responsible Disclosure

Reporting Vulnerabilities
At Finastra, the safety of the data on our systems is at the heart of everything we do. We actively encourage everyone who believes they have found a vulnerability in our systems to report the issue to us in line with the following guidelines. Your report will be submitted to our Responsible Disclosure Program, managed by Synack.

Responsible Disclosure Guidelines
Scope
The following Finastra web services are in scope:
*.fusionfabric.cloud

Rules of Engagement
Please read the following rules before reporting a vulnerability:

  • Do not put any data on our systems at risk
  • No Denial of Service testing
  • No Physical or Social Engineering
  • No uploading of any vulnerability or content to third-party utilities (e.g. Github, DropBox, YouTube)
  • If able to gain access to a system, accounts, users, or user data, stop at point of recognition and report. Do not dive deeper to determine how much more is accessible.
  • When documenting a vulnerability, if a vulnerability is public, please make sure it is discreet and doesn't identify the client.

If you do not follow these Rules of Engagement, your actions will be treated as an attack and not a Security Disclosure. We may take action against any attacks, including reporting them to the police.

What to report

  • OWASP Top 10 vulnerability categories
  • Other vulnerabilities with demonstrated impact

What not to report

  • Theoretical vulnerabilities
  • Informational disclosure of non-sensitive data
  • Low impact session management issues
  • Self XSS (user defined payload)

For a full list of program scope please visit the Responsible Disclosure details page

How to report
Our responsible disclosure program is managed by our service provider Synack who will review and validate the issues within the scope of this program.
See our responsible disclosure program

Terms and Conditions
The following terms and conditions apply and you have to fully comply with those terms at all times.

International law and regulations
Your investigation of our IT systems could be regarded as criminal under local or international law. If you act in good faith and in accordance with these Responsible Disclosure Guidelines, we will not report your actions to the authorities, unless required to do so by law.