At Think Future Technologies (TFT), security is paramount. We invite security researchers and ethical hackers to participate in our Vulnerability Disclosure Program. By reporting potential vulnerabilities and security issues in our technology services, libraries, solutions, and frameworks, you help us ensure the highest level of security for our clients. We value your expertise and partnership in enhancing our offerings and protecting our clients' business outcomes. Join us in building a safer technological future.
At TFT's Vulnerability Disclosure Program, we prioritize the discovery of security vulnerabilities that directly impact the integrity and confidentiality of our technology ecosystem. We highly appreciate your efforts in helping us identify and rectify potential threats. Our program focuses on the following critical areas:
We currently don't operate a bounty or cash reward initiative for disclosures; however, we have various ways to show our appreciation for your valuable input. In cases of sincere and ethical disclosures, we're more than willing to recognize your contribution publicly. This recognition can take the form of an acknowledgment in the dedicated section on our website. Of course, we'll proceed with this gesture only if you're comfortable with receiving public acknowledgment.
Reports falling into the categories listed below are considered out of scope for our VDP program:
Clickjacking on pages with no sensitive actions
Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
Attacks requiring MITM or physical access to a user's device
Any activity that could lead to the disruption of our service (DoS)
Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
Rate limiting or bruteforce issues on non-authentication endpoints Missing security headers
Missing Security Headers
Self XSS
Missing HttpOnly or Secure flags on cookies
Weak password policies
Session hijacking
Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)
Vulnerabilities only affecting users of outdated or unpatched browsers [Less than 2 stable versions behind the latest released stable version]
Software version disclosure / Banner identification issues / Descriptive error messages or headers (e.g. stack traces, application or server errors) / Known public files or directories disclosure (e.g. robots.txt, css/images etc)
Public Zero-day vulnerabilities that have had an official patch for less than 1 month
Tabnabbing
Open redirect - unless an additional security impact can be demonstrated
Issues that require exceedingly unlikely user interaction
Spamming (e.g. SMS/Email Bombing)