Which domains are in scope?


In scope:

*.fruition.net
tools.fruition.net

Out of scope:

cdn.fruition.net

What bugs are NOT eligible?

Disruptive bugs or bugs with no/low impact or likelihood such as:

Missing Cookie flags on non-session cookies or 3rd party cookies Logout CSRF
Social engineering
Denial of service
Weak TLS ciphers
Email spoofing, SPF, DMARC & DKIM
Brute force attacks
Password policy improvements
Hardening tips (such as missing CSP header or SRI attribute)
What bugs are eligible?

Any typical web security bugs such as:

Cross-site Scripting
Open redirect
Cross-site request forgery
File inclusion
Authentication bypass
Server-side code execution
How to submit and format security reports?

Send to security@fruition.net

Name: name
Bug type: bugtype
Domain: domain
Severity: severity
URL: url
PoC: poc