Fast Simon welcomes reports of security vulnerabilities in our products, services, and websites. If you believe you have discovered a security issue, please report it to us so we can investigate and remediate it.
How to report
Send an email to support@fastsimon.com with the subject line: Security vulnerability report
Include as much of the following as possible:
- A clear description of the issue and the potential impact
- Affected URL, endpoint, product area, or feature
- Steps to reproduce, including any proof of concept details needed to validate
- Screenshots, logs, or request and response samples (redact sensitive customer data)
- Any known constraints or prerequisites (account type, permissions, configuration)
- Your preferred contact information for follow up
If you believe the issue involves sensitive data exposure, please say so in the first line of the email so we can prioritize triage.
Guidelines for good faith testing
Please:
- Avoid actions that could impact availability or customer experience (for example, denial of service, load testing, or spamming)
- Do not access, modify, delete, or exfiltrate data that is not your own
- Do not attempt social engineering, phishing, or physical attacks
- Stop testing once you have enough information to report the issue
Scope
This program covers security vulnerabilities in Fast Simon operated assets, including our websites, dashboards, APIs, and hosted widgets and services.
Out of scope examples:
- Issues in third party services not controlled by Fast Simon
- Reports that rely on missing best practice headers without a demonstrated security impact
- Vulnerabilities requiring physical access to a device or a user account you do not own
- Denial of service testing or automated scanning that materially impacts service availability
What you can expect from us
- Acknowledgement of your report: within 2 business days
- Initial triage and severity assessment: as soon as practical after reproduction
- Ongoing status updates: provided when significant milestones are reached (reproduced, mitigation planned, fix deployed)
Remediation timelines
After validation and severity assignment, our target remediation timelines are:
Severity: Critical
Target: Fix deployed within 48 hours of validation
Severity: High
Target: Fix deployed within 5 business days
Severity: Medium
Target: Fix deployed within 10 business days
Severity: Low
Target: Fix scheduled in the next planned release cycle
Coordinated disclosure
We request coordinated disclosure. Please allow us time to investigate and remediate before public disclosure. If you intend to disclose publicly, include your proposed disclosure date in the report so we can coordinate appropriately.
Safe harbor
If you follow the guidelines above, act in good faith, and avoid privacy, data, and availability impacts, Fast Simon will not initiate legal action against you for your security research. This does not apply to activities that are abusive, disruptive, or involve unauthorized access to data.