Which domains are in scope?
In scope:
*.fruition.net
tools.fruition.net
Out of scope:
cdn.fruition.net
What bugs are NOT eligible?
Disruptive bugs or bugs with no/low impact or likelihood such as:
Missing Cookie flags on non-session cookies or 3rd party cookies Logout CSRF
Social engineering
Denial of service
Weak TLS ciphers
Email spoofing, SPF, DMARC & DKIM
Brute force attacks
Password policy improvements
Hardening tips (such as missing CSP header or SRI attribute)
What bugs are eligible?
Any typical web security bugs such as:
Cross-site Scripting
Open redirect
Cross-site request forgery
File inclusion
Authentication bypass
Server-side code execution
How to submit and format security reports?
Send to security@fruition.net
Name: name
Bug type: bugtype
Domain: domain
Severity: severity
URL: url
PoC: poc