External Responsible Disclosure Policy

Last updated: March 13, 2024

At FireTail, we are committed to ensuring the security and integrity of APIs across organizations. As part of our dedication to API security, our security team conducts research and occasionally identifies vulnerabilities in third-party APIs. This policy outlines our procedure for responsibly disclosing security vulnerabilities discovered in external APIs:

Objective: Our primary objective is to enhance the security posture of organizations by promptly and responsibly disclosing API vulnerabilities to the affected parties. We aim to collaborate with API providers to facilitate the resolution of identified vulnerabilities and improve overall API security across the Internet.

Disclosure Procedure:

  • FireTail will promptly disclose all relevant information regarding a security vulnerability to the responsible party or parties involved in the development and maintenance of the affected API(s).
  • Contact attempts will be made using various communication channels, including official website contacts, emails, phone calls, or intermediaries.
  • If the responsible party fails to acknowledge our communication within a reasonable timeframe, typically 90 days, FireTail reserves the right to publicly disclose the vulnerability for educational purposes.
  • Upon acknowledgment from the affected party, a grace period of 90 days will be provided to address the vulnerability.
  • Public disclosure will occur following the resolution of the vulnerability or if the responsible party fails to respond or adequately address the issue within the specified timeframe.

Public Disclosure:

  • FireTail will ensure that public disclosures do not include working exploits and are redacted to prevent exploitation by malicious entities while still raising awareness about the vulnerability.
  • A summary of the disclosure timeline and communications with the affected party will be provided upon public disclosure.

Release of Information:

  • FireTail may integrate vulnerability information into our platform to protect our customers' APIs from potential threats at any point from the initial discovery date.
  • FireTail may also utilize this data in our security research and publications for educational purposes.

Official Disclosure:

  • Security disclosures may be formally and publicly released on FireTail's official website. Only entries listed on this website should be considered official FireTail API security disclosures.

At FireTail, we prioritize responsible disclosure and collaboration with API providers to enhance the security and resilience of API ecosystems. FireTail is a defensive security company, and will never knowingly share information with unauthorized parties. FireTail does not hack, breach, hold ransom, share compromised data or act in malicious ways. We believe that by working together, we can effectively mitigate risks and safeguard against potential threats to API infrastructure.