Details

Security is taken seriously at Fullscreen, and we are committed to protecting our community. With that in mind, Fullscreen is publishing this policy to allow lines of communication with the wider security community. Fullscreen appreciates the efforts of security researchers and experts in regards to identifying security-related issues within any Fullscreen resource. If you believe you have found an issue please disclose it to us responsibly.

Fullscreen is committed to addressing all reported issues in a responsible and timely manner. Fullscreen wants to work with you, the security community. Please give us the opportunity to remediate any issues before disclosing them publicly. Please submit a detailed report of the issue, along with a reproducible outline. Fullscreen has confidence in the HackerOne and general security community at large to respect Fullscreen users’ data and privacy.

Disclosure Policy

Reach out to Fullscreen as soon as possible upon discovery of a potential security issue, and Fullscreen will work quickly to address the issue in a timely manner. Please allow Fullscreen a reasonable amount of time to remediate any issue before public or third-party disclosure. Please try to use a "Do No Harm" type policy when performing your research. Please avoid privacy violations of our users, destruction of our data, and denial of service of our resources and to our users. Only interact with accounts you own or with explicit permission of the account holder.

Bounty Program

Fullscreen does not currently have a monetary bug bounty program, but all reports meeting our desired scope (see below) will be addressed and public thanks will be given. We would also be more than happy to provide a certificate of acknowledgement. Depending on budget and supplies, t-shirts and swag might be available as well.

Scope

The scope of issues is limited to technical vulnerabilities in Fullscreen network of websites and mobile apps. Please do not attempt to compromise the safety or privacy of our users, or the availability of Fullscreen through DoS attacks. Please refrain from targeted phishing, spam attacks, and social engineering of Fullscreen users, Third-party partners or Fullscreen employees. We request that you rate-limit your testing for any automated tools which could generate large volumes of traffic.

Non-qualifying vulnerabilities

Although we review every reported issue on a case-by-case basis, some of them may not qualify depending on their impact. Here are some common low-risk issues that typically do not qualify:

Attacks requiring physical access to a user's device
Missing SPF, DKIM, or DMARC record
Missing DNSSEC
HttpOnly and Secure cookie flags
HTTPS related (such as HSTS)
Session timeout
Missing X-Frame or X-Content headers
Issues related to software or protocols not under Fullscreen's control
Reports of spam
Bypass of URL malware detection
Vulnerabilities only affecting users of outdated or un-patched browsers and platforms
Any physical attempts against Fullscreen property or data centers
Issues without clearly identified security impact, such as clickjacking on a static website, missing security headers, or descriptive error messages.

Thank you for helping keep the Fullscreen community safe!