Vulnerability Disclosure Policy
We take our systems' security seriously, and we value input from the security community. If you've discovered a vulnerability, we appreciate your help in disclosing it to us.
1. Introduction
Familiar is committed to maintaining the security of its platform and protecting the data entrusted to it.
We welcome reports of potential security vulnerabilities from security researchers, customers, and other third parties acting in good faith. This Vulnerability Disclosure Policy explains how to report vulnerabilities and the principles that apply to responsible disclosure.
This policy is provided for informational purposes only and does not create any contractual obligations.
2. Scope
This policy applies to security vulnerabilities that may affect:
- www.familiarhq.com
- app.familiarhq.com
- Familiar-owned APIs, services, and infrastructure
The following are out of scope and should be reported to the relevant third party instead:
- Third-party services or platforms integrated with the Services
- Vulnerabilities in third-party libraries where no exploit affects the Familiar platform directly
3. Reporting a vulnerability
If you believe you have discovered a security vulnerability, please report it as soon as possible by contacting:
Email: security@familiarhq.com
When reporting a vulnerability, please include:
- A clear description of the issue
- Steps to reproduce the vulnerability
- Any relevant screenshots, logs, or proof-of-concept code
- The potential impact, if known
Please do not publicly disclose the vulnerability before we have had an opportunity to investigate and remediate it.
4. Responsible disclosure guidelines
We ask that you act in good faith and comply with the following guidelines when testing or reporting vulnerabilities:
You must not:
- Access, modify, or delete data belonging to other users
- Disrupt or degrade the availability of the Services
- Perform denial-of-service (DoS) or similar attacks
- Engage in social engineering, phishing, or impersonation
- Conduct physical security testing
- Test systems or environments outside the defined scope
Testing should be limited to the minimum necessary to confirm the existence of a vulnerability.
5. Safe harbor
Familiar will not pursue legal action against individuals who:
- Discover and report vulnerabilities in good faith
- Comply with this Vulnerability Disclosure Policy
- Do not engage in malicious, reckless, or illegal behavior
This safe harbor applies only to activities conducted in accordance with this policy and applicable law.
6. Our response process
Upon receiving a vulnerability report, Familiar will:
- Acknowledge receipt within 5 business days
- Provide an initial assessment within 15 business days, where reasonably possible
- Take appropriate steps to remediate confirmed vulnerabilities
- Keep the reporter reasonably informed of progress, where appropriate
Response times may vary depending on the complexity and severity of the reported issue.
7. Recognition
Familiar does not currently operate a bug bounty or reward program.
However, at our discretion, we may acknowledge responsible reporters publicly (for example, on a security acknowledgments page), subject to the reporter’s consent.
8. Changes to this policy
We may update this Vulnerability Disclosure Policy from time to time to reflect changes in our security practices or threat landscape.
The updated version will apply upon publication.
9. Governing law
This Vulnerability Disclosure Policy is governed by French law.
10. Contact
For security-related matters, including vulnerability disclosures, please contact security@familiarhq.com.