Vulnerability Disclosure Policy

Last updated: February 2026

At Fyxer, we take security seriously. We welcome and encourage responsible disclosure of security vulnerabilities in our systems. This policy outlines our commitment to working with security researchers to protect our users.

Guidelines for Ethical Research

When testing Fyxer systems, please:

  • Be careful: Avoid accessing, modifying, or deleting data that isn't yours. Do not degrade system performance or disrupt services for other users.
  • Stay in bounds: Only test systems that are explicitly within scope. Do not attempt to access systems or data outside the defined scope.
  • Communicate responsibly: Report vulnerabilities promptly and provide sufficient detail for us to reproduce and fix the issue.
  • Keep it confidential: Do not publicly disclose the vulnerability until we have had sufficient time to address it and you have received explicit permission to publish.

Safe Harbor Promise

If you follow these guidelines, we guarantee:

  • No legal action: We will not pursue legal action against researchers who discover and report vulnerabilities in good faith, in accordance with this policy.
  • Good-faith collaboration: We will work with you to understand and resolve valid, manually validated issues. Due to the high volume of AI-generated submissions we receive, response times vary and we cannot guarantee a fixed acknowledgement window.

In Scope

The following Fyxer services are in scope for security research:

  • fyxer.com
  • app.fyxer.com

Out of Scope Vulnerabilities

The following are explicitly excluded from this program. Reports about these issues will not qualify for rewards:

  • Attacks requiring physical access to devices or networks
  • Social engineering attacks (phishing, vishing, pretexting)
  • Denial of service (DoS) or distributed denial of service (DDoS) attacks
  • Spam or email bombing attacks
  • Vulnerabilities affecting third-party services or dependencies not maintained by Fyxer
  • Issues in third-party applications, integrations, or browser extensions not developed by Fyxer
  • Vulnerabilities in outdated browsers, plugins, or third-party software
  • Clickjacking attacks with minimal security impact
  • Certificate transparency log issues
  • Publicly accessible files or directories without sensitive data exposure
  • Missing security headers that do not result in a tangible vulnerability

Vulnerability Severity & Rewards

We evaluate and reward vulnerabilities based on their severity and impact:

SeverityExample ImpactReward Range
CriticalRemote code execution, full database access, authentication bypass$5,000 – $10,000
HighPrivilege escalation, significant data exposure, stored XSS with user impact$1,000 – $5,000
MediumReflected XSS, CSRF with limited impact, minor data leakage$100 – $1,000
LowMissing headers, low-impact issuesSwag or thanks

Reward amounts are at our discretion and depend on the specific impact, quality of the report, and whether the vulnerability has already been reported.

How to Report a Bug

If you find a vulnerability within scope, email us at security@fyxer.com with:

  • A clear description of the vulnerability
  • Steps to reproduce the issue
  • Screenshots or proof of concept (if applicable)

We receive a high volume of reports, including a significant number generated by AI tools without manual validation. Due to this, we cannot guarantee a fixed acknowledgement time. Reports that appear to be AI-generated and unvalidated will not receive a response — please thoroughly verify any finding yourself before submitting, or it will not be triaged. We appreciate your patience and will keep you informed of our progress on valid reports. Thank you for helping keep Fyxer secure.