Fyber
Get Started

Legal

Responsible Disclosure

If you've found a vulnerability, here's how to tell us — and what we promise in return.

Last updated: May 6, 2026

Scope

In scope:

  • fyber.one and all subdomains
  • fyber.link and all subdomains
  • Public APIs (api.fyber.one, admin-api.fyber.one)
  • Our official SDKs (JavaScript, PHP, .NET, Flutter)

Out of scope:

  • Third-party services we integrate with (FAC, MPGS, Cloudflare, etc.)
  • Social engineering attacks against Fyber staff
  • Denial-of-service attacks (DoS / DDoS)
  • Issues in unsupported browsers or outdated dependencies

What to test

Production is fine for read-only and authentication testing. For destructive tests (creating large numbers of accounts, attempting payment authorisations beyond simple proof-of-concept), request a sandbox tenant via security@fyber.one.

Safe harbor

Fyber will not pursue legal action or initiate law-enforcement contact against good-faith researchers who:

  • Follow this policy
  • Make a good-faith effort to avoid privacy violations, destruction of data, and interruption of service
  • Stop testing immediately upon discovering a vulnerability
  • Do not exfiltrate data beyond the minimum needed to demonstrate the issue

How to report

Email security@fyber.one with:

  • Clear reproduction steps (a curl command, a screenshot, or a video)
  • Impact assessment — what an attacker could do with this
  • Your preferred contact info

For sensitive findings, encrypt your report with our PGP key. The key fingerprint will be published here once we publish it; until then, plain email is fine.

Response SLAs

  • Acknowledgement — 2 business days
  • First triage — 7 business days
  • Remediation by severity:
    • Critical — 7 days
    • High — 30 days
    • Medium — 90 days
    • Low — 180 days

Recognition

At our discretion, disclosed researchers (with permission) are listed in a hall of fame. We do not currently run a paid bug-bounty programme, but credit and a Fyber t-shirt are guaranteed.

Out-of-scope behaviours

  • Automated vulnerability scanners that generate noise without confirmation
  • Anything that disrupts other Fyber customers
  • Reports of issues already publicly known (e.g. an outdated dependency with a CVE we're already tracking)