Responsible Disclosure Policy

At Figures, the security of our customers & employees data is our priority. The purpose of this page (the “Responsible Disclosure Policy”) is to provide you with all the information you need if you have discovered or believe to have discovered a potential vulnerability in any of our products or services.

We are committed to ensuring our security is top tier and really appreciate the help of our community to achieve this. To make sure that any disclosures are made responsibly please ensure you follow the terms below:

All submissions should be sent by email to and include the following information:
- A URL or an IP address, where you found the issue. When did you find it.
- A description of the issue, including what you saw and what you expected to see.
- A list of steps to reproduce the issue, or a video demonstration if it’s a complicated issue.

Please make sure that any disclosures are made as soon as possible. This will help in resolving security issues in a timely fashion.

Public disclosures of any vulnerabilities (e.g. through social media or the press) can put our community at risk so please make sure you keep this confidential. All disclosures should be made in accordance with this Responsible Disclosure Policy so that we can focus on resolving any issues as soon as possible. We reserve our right to take legal action if this is not followed.

If you do discover a vulnerability and come into possession of personal data about Figures customers or employees you must ensure this is deleted as soon as you have made the disclosure reported by email. Personal data is any information that can be used to identify an individual.

None of the research you have undertaken when reporting a vulnerability should have been obtained by unlawful means such as:
- Accessing, or attempting to access, accounts or data that does not belong to you;Attempts to use malware, viruses or similar harmful software
- Sending unsolicited spam messages.

Please note that we do not offer a bug bounty program. This means that Figures does not pay rewards for disclosed security vulnerabilities.
To protect our customers, we investigate all reported issues, but we do not confirm them publicly.
- You make a good faith effort to avoid any legal and privacy violations, disruptions to others, including (but not limited to) destruction of data and interruption or degradation of our services.
- You do not exploit a security issue you discover for any reason. (This includes demonstrating additional risk, such as attempted compromise of sensitive company data or probing for additional issues.)
- You do not violate any other applicable laws or regulations.
Your personal information will only be used to approach you regarding your vulnerability report. We will not distribute your personal information to third parties without your permission. Should the law require us to provide your personal information to an authority we will ensure that the applicable authority treats your personal information confidentially. We will remain responsible for your personal information.
What shouldn’t I be reporting?
- Sender Policy Framework (SPF), DKIM and DMARC configuration suggestions
- Disclosure of known public files or directories (e.g. robots.txt)
- Banner disclosure on common/public services without a PoCSecurity header configurations or missing header
- Lack of Secure/HTTPOnly flags on non-sensitive cookies
- Phishing or Social Engineering Attacks

When will I hear from you after making a disclosure?
Figures will send you a reply to let you know that we received your report, and will contact you if we need more information.

Can I publish anything about the vulnerability after my disclosure?
We ask that any details remain confidential to best protect our community. If you have any further questions on this please contact