Purpose

The purpose of this policy is to define a structured and secure process for reporting vulnerabilities, ensuring timely assessment and resolution while protecting both FEHA and security researchers. This policy encourages responsible security research while minimizing risks to FEHA’s infrastructure and data.

Scope

This policy applies to FEHA personnel, third-party vendors, and external security researchers involved in identifying vulnerabilities within FEHA’s IT infrastructure, systems, applications, networks, and cloud environments. It is particularly relevant to assets that store or process sensitive information or are critical to business operations.

Policy

Responsible Disclosure Policy

FEHA is committed to collaborating with security researchers to enhance the security and reliability of its platform. When researchers disclose vulnerabilities to us, we work together to strengthen the compliance ecosystem for the benefit of all users.

However, FEHA does not participate in a bug bounty program. Researchers engaging with FEHA must follow ethical guidelines to ensure responsible and legal security testing.

Reporting a Security Vulnerability

To ensure responsible disclosure and timely remediation, FEHA enforces a structured reporting process:

• Responsible Reporting: Security researchers must report vulnerabilities privately and refrain from publicly disclosing them before remediation.

• Submission Process: Reports must be submitted through the designated disclosure platform or security contact email.

• Detailed Information: Reports should include sufficient details, such as attack vectors, affected systems, and replication steps, to facilitate validation.

• Confidentiality Assurance: FEHA will not take legal action against researchers who act in good faith and comply with this policy.

Scope of Acceptable Testing

Security testing must be conducted in an ethical and controlled manner to avoid disrupting business operations or exposing sensitive data.

• Prohibited Activities: Security testing must not involve social engineering, denial-of-service attacks, unauthorized data access, or any actions that could compromise user privacy.

• Permissible Testing: Researchers may assess web applications, APIs, and publicly accessible systems without attempting unauthorized access or data modification.  

• Respect for Privacy: Any unintended exposure of sensitive data must be reported immediately and not retained.

Compliance and Ethical Considerations

All responsible disclosure activities must align with legal and ethical standards, which involves managing areas such as:

• Compliance with Laws: Researchers must comply with all applicable laws and regulations.

• Ethical Hacking Standards: Disclosures must follow ethical guidelines to avoid harm or disruption.

• Third-Party Engagement: If vulnerabilities involve third-party systems, the company may coordinate with relevant vendors.

Response & Remediation Process

FEHA follows a transparent and structured response process when a vulnerability is reported:

• Acknowledgment – A confirmation email will be sent within 7 business days.

• Assessment – The security team will validate the report, assess its impact, and prioritize remediation.

• Resolution – FEHA will work to remediate the vulnerability based on severity, with security patches deployed accordingly.

• Status Updates – Researchers will be kept informed on the progress of remediation where applicable.

• Disclosure Agreement – FEHA may coordinate with the researcher on responsible public disclosure if necessary.

Exclusions

This policy does not apply to:

• Issues related to user misconfiguration, weak passwords, or third-party applications outside FEHA’s control.

• Non-security-related bugs (e.g., UI glitches, spelling errors).

• Attacks on non-production environments unless explicitly authorized.

‍