Overview

At FluentCRM, we’re committed to maintaining the highest level of security possible. Our team works diligently to protect our users’ data, but we understand that no system is completely impervious to potential vulnerabilities. Therefore, we encourage the open, responsible reporting of vulnerabilities through our Security and Vulnerability Disclosure Program. By working together, we can create a safer, more secure environment for our users.

Reporting a Vulnerability

We appreciate the help of security researchers and the general public in identifying potential issues. If you believe you have found a security vulnerability in our WordPress plugin, we encourage you to inform us as soon as possible.

Here’s how you can do it (please any of these that you prefer):

  1. Email us at security [at] fluentcrm.com, providing as much detailed information as possible about the potential vulnerability. Please include the following:
    • Description of the potential vulnerability
    • Steps to reproduce the issue
    • The potential impact of the issue on our users
    • Any additional details or relevant resources
  2. You can also submit the issue by clicking here.
  3. We also use Patchstack’s mVDP program so you may report there. We will get your report from Patchstack. Please use this URL: https://patchstack.com/database/vdp/fluent-crm

Guidelines

We ask that you:

  • Do not exploit any vulnerabilities that you discover.
  • Do not perform any attack that could harm the reliability/integrity of our services or data.
  • Do not publicly disclose the bug until it has been addressed by FluentCRM.

Eligibility and Responsible Disclosure

You are responsible for complying with all applicable laws and must only ever use or otherwise access your own test accounts when researching vulnerabilities in any of our products, services, or codebases. Access to, or modification of user data is explicitly prohibited without prior consent from the account owner.

Response to Disclosure

Once you’ve reported a vulnerability, here’s what you can expect from us:

  1. We will acknowledge your email within 3 business days of receiving your report.
  2. Our team will review the reported vulnerability and confirm its validity.
  3. If we validate the issue, we’ll work swiftly to address it, and we will keep you informed about our progress.
  4. Once the issue is resolved, we’ll acknowledge your assistance in our release notes (unless you request to remain anonymous).

Recognition

We understand the hard work and dedication it takes to identify security vulnerabilities. As a token of our appreciation for helping us maintain the security of FluentCRM, we offer a reward of $250-$500 for the disclosure of any security vulnerability that we subsequently confirm as valid and fix. Please note that eligibility for this reward is at our discretion and will be determined on a case-by-case basis.

At FluentCRM, we’re dedicated to providing a secure environment for all our users. We greatly appreciate your assistance in identifying any areas where we can improve. Together, we can ensure FluentCRM continues to be a trusted solution for WordPress CRM & Email Marketing needs.


Policy Changelog

June 14, 2023 – 12:14 PM

  • Program open for public