Familiar

Product

ScenariosAudiencesCampaignsSurveysAgentSoon

Solutions

For IndependentsFor GroupsFor Enterprise

Resources

PricingManifestoBlogDocs
Start for free

Vulnerability Disclosure

We take our systems' security seriously, and we value input from the security community. If you've discovered a vulnerability, we appreciate your help in disclosing it to us.

Last updated: January 2026

1. Introduction

Familiar is committed to the security of our platform, our infrastructure, and the data entrusted to us by our clients. We recognize that independent security researchers play a valuable role in helping us identify and address potential vulnerabilities.

This Vulnerability Disclosure Policy outlines how to report security vulnerabilities to us responsibly, what you can expect from us in return, and the guidelines we ask you to follow.

2. Scope

This policy applies to vulnerabilities discovered in the following Familiar-owned assets:

  • familiarhq.com — our marketing website
  • app.familiarhq.com — our web application and platform
  • APIs — any publicly accessible API endpoints operated by Familiar

Out of Scope

The following are considered out of scope and should not be tested or reported under this policy:

  • Third-party services, applications, or platforms integrated with Familiar (e.g., payment providers, PMS integrations, analytics tools). Vulnerabilities in third-party services should be reported directly to the respective provider.
  • Social engineering attacks (phishing, vishing, etc.) against Familiar employees or clients
  • Physical security vulnerabilities
  • Denial-of-service (DoS or DDoS) attacks
  • Automated scanning or brute-force attacks that may degrade service availability
  • Vulnerabilities in software or systems not owned or operated by Familiar

3. Reporting a Vulnerability

If you believe you have discovered a security vulnerability in any of our in-scope assets, please report it to us at:

  • Email: security@familiarhq.com

To help us assess and resolve the issue as quickly as possible, please include the following information in your report:

  • Description: a clear and detailed description of the vulnerability, including the type of issue (e.g., XSS, SQL injection, authentication bypass, IDOR)
  • Steps to reproduce: step-by-step instructions to reliably reproduce the vulnerability, including any specific URLs, parameters, or payloads used
  • Screenshots or proof of concept: any supporting evidence, such as screenshots, screen recordings, HTTP request/response logs, or a minimal proof-of-concept script
  • Impact assessment: your assessment of the potential impact of the vulnerability, including what data or functionality could be affected
  • Environment details: the browser, operating system, and any tools used during your research

Please submit one vulnerability per report to ensure clear tracking and resolution.

4. Responsible Disclosure Guidelines

We ask that all security researchers adhere to the following guidelines:

  • Act in good faith: conduct your research with the intent of improving security, not causing harm
  • Avoid data destruction: do not delete, modify, or corrupt data belonging to Familiar or its clients
  • Do not access others’ data: if you discover access to data belonging to other users or clients, stop immediately and report the finding. Do not view, download, copy, or store such data.
  • Do not disrupt services: avoid actions that could degrade the availability or performance of our Services, including denial-of-service attacks, excessive automated scanning, or brute-force attempts
  • Maintain confidentiality: do not publicly disclose the vulnerability until we have had a reasonable opportunity to assess and remediate the issue, and we have confirmed that disclosure is appropriate
  • Use test accounts: where possible, use your own test accounts for research. Do not target accounts belonging to other users.
  • Comply with applicable laws: your research must comply with all applicable laws and regulations

5. Safe Harbor

Familiar considers security research conducted in accordance with this policy to be authorized and will not pursue legal action against researchers who:

  • Act in good faith and in compliance with this Vulnerability Disclosure Policy
  • Avoid privacy violations, data destruction, and service disruption
  • Report vulnerabilities promptly and provide us with a reasonable timeframe to remediate before any disclosure

If at any point you are uncertain whether your research complies with this policy, please contact us at security@familiarhq.com before proceeding.

This safe harbor does not extend to activities that violate applicable law or cause harm to Familiar, its clients, or third parties.

6. Response Process

When you submit a vulnerability report, you can expect the following process:

  • Acknowledgment: we will acknowledge receipt of your report within 5 business days.
  • Assessment: our security team will triage and assess the reported vulnerability within 15 business days of acknowledgment. We may contact you for additional information during this period.
  • Remediation: if the vulnerability is confirmed, we will work to remediate it based on severity. Critical and high-severity issues will be prioritized for immediate resolution.
  • Resolution notification: we will notify you when the vulnerability has been resolved and, where appropriate, provide details about the fix.

We will keep you informed of our progress throughout the process and aim to be transparent about our assessment and timeline.

7. Recognition

We appreciate the efforts of security researchers who help us keep Familiar secure. With your permission, we may acknowledge your contribution publicly (e.g., on a security acknowledgments page) unless you prefer to remain anonymous.

Please note that Familiar does not currently operate a bug bounty program and does not provide monetary rewards for vulnerability reports. We may revisit this position in the future.

8. Changes to This Policy

We may update this Vulnerability Disclosure Policy from time to time. When we make changes, we will revise the “Last updated” date at the top of this page. We encourage you to review this policy before submitting a report.

9. Governing Law

This Vulnerability Disclosure Policy is governed by and construed in accordance with the laws of France. Any dispute arising out of or in connection with this policy shall be subject to the exclusive jurisdiction of the competent courts of France.

10. Contact

For all security-related inquiries, vulnerability reports, or questions about this policy, please contact us at:

  • Email: security@familiarhq.com
  • Postal mail: Familiar SAS, 1663 rue de Majornas, 01440 Viriat, France — Attn: Security Team

Put your marketing on autopilot

Join leading hotel groups and be ready for an AI-first world.

Start for freeTalk to sales