Details

Policy

Factorial looks forward to working with the security community to find vulnerabilities. We recognize the important role that you play in helping to keep Factorial and our customers secure. If you discover a site or product vulnerability please notify us.

Reporting a potential security vulnerability

Privately share details of the suspected vulnerability with Factorial by sending an email to [email protected]. We recommend you to encrypt the email using our PGP public key: https://www.factorialhr.com/.well-known/pgp-key.txt
Provide full details of the suspected vulnerability so the Factorial security team may validate and reproduce the issue

Ineligible vulnerabilities

When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug.

Below are some examples of issues that are out of scope:

Any activity that could lead to the disruption of our service (DoS)
Attacks requiring MITM or physical access to a user’s device
Best practice reports without a valid exploit (e.g., use of "weak" TLS ciphers)
Clickjacking on pages with no sensitive actions
Comma Separated Values (CSV) injection without demonstrating a vulnerability
Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
Disclosure of server or software version numbers
Hypothetical subdomain takeovers without supporting evidence
Issues that require unlikely user interaction
Missing best practices in Content Security Policy
Missing best practices in SSL/TLS configuration
Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)
Missing HttpOnly or Secure flags on non session cookies
Open redirect - unless an additional security impact can be demonstrated
Previously known vulnerable libraries without a working Proof of Concept
Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.
Rate limiting or bruteforce issues on non-authentication endpoints
Reports of spam
Self-XSS
Social engineering
Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).
Tabnabbing
Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]

Reporting a potential security vulnerability

Privately share details of the suspected vulnerability with Factorial by sending an email to [email protected]. We recommend you to encrypt the email using our PGP public key: https://www.factorialhr.com/.well-known/pgp-key.txt

Provide full details of the suspected vulnerability so the Factorial security team may validate and reproduce the issue

Ineligible vulnerabilities

When reporting vulnerabilities, please consider (1) attack scenario / exploitability, and (2) security impact of the bug.

Below are some examples of issues that are out of scope:

Any activity that could lead to the disruption of our service (DoS)

Attacks requiring MITM or physical access to a user’s device

Best practice reports without a valid exploit (e.g., use of "weak" TLS ciphers)

Clickjacking on pages with no sensitive actions

Comma Separated Values (CSV) injection without demonstrating a vulnerability

Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS

Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions

Disclosure of server or software version numbers

Hypothetical subdomain takeovers without supporting evidence

Issues that require unlikely user interaction

Missing best practices in Content Security Policy

Missing best practices in SSL/TLS configuration

Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)

Missing HttpOnly or Secure flags on non session cookies

Open redirect - unless an additional security impact can be demonstrated

Previously known vulnerable libraries without a working Proof of Concept

Public Zero-day vulnerabilities that have had an official patch for less than 1 month will be awarded on a case by case basis.

Rate limiting or bruteforce issues on non-authentication endpoints

Reports of spam

Self-XSS

Social engineering

Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors).

Tabnabbing

Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]