Security

Vulnerability Disclosure Policy

Click to copyOverview

At Futurity, the security of our platform, infrastructure, and customer data is a top priority. We welcome and appreciate the efforts of security researchers and the broader community in helping us maintain a safe and secure environment.

This page describes how to report security vulnerabilities to us, what to expect during the process, and the protections we offer to good-faith researchers.

Click to copyReporting a Vulnerability

If you believe you have found a security vulnerability in any Futurity product or service, please report it to us as soon as possible. We ask that you report vulnerabilities privately so we can address them before they are publicly disclosed.

Email: alex@futurity.work

When reporting, please include as much detail as possible:

  • A description of the vulnerability and its potential impact.
  • Step-by-step instructions to reproduce the issue, including any relevant URLs, parameters, or payloads.
  • Screenshots, proof-of-concept code, or network captures if applicable.
  • Your contact information for follow-up.

Click to copyPGP Encryption

For sensitive reports, we encourage you to encrypt your email using our PGP public key. This ensures that the details of your report remain confidential in transit.

Key fingerprint:

03BD A818 BC65 64E1 F588 C466 6B82 1AA8 592A 0D7A

Download PGP public key

Click to copyScope

The following are in scope for security reports:

  • futurity.work and all subdomains
  • Futurity APIs and backend services
  • Futurity desktop and mobile applications

The following are out of scope:

  • Denial of service (DoS/DDoS) attacks or resource exhaustion.
  • Social engineering or phishing of Futurity employees.
  • Physical attacks against Futurity offices or data centres.
  • Vulnerabilities in third-party services or software not maintained by Futurity.
  • Reports from automated scanning tools without a demonstrated, exploitable vulnerability.

Click to copyResponse Process

We take all security reports seriously. Here is what you can expect after submitting a report:

  1. Acknowledgement — We will confirm receipt of your report within 3 business days.
  2. Assessment — Our security team will evaluate the report, reproduce the issue, and determine its severity.
  3. Remediation — We will work to resolve confirmed vulnerabilities promptly.
  4. Notification — We will notify you when the issue has been resolved and, where appropriate, credit you for the discovery.

Click to copySafe Harbor

Futurity supports safe harbor for security researchers who:

  • Make a good-faith effort to avoid privacy violations, data destruction, and disruption of our services.
  • Only interact with accounts they own or with explicit permission of the account holder.
  • Do not exploit a vulnerability beyond what is necessary to demonstrate it.
  • Report vulnerabilities privately and allow reasonable time for remediation before any public disclosure.

We will not pursue legal action against researchers who follow these guidelines.

Click to copyContact

For all security-related inquiries, please contact:

Email: alex@futurity.work

PGP key: alex.asc

security.txt: /.well-known/security.txt