Skip to main content
Firisbe
SECURITY POLICY

Security Disclosure Policy

If you believe you have found a security vulnerability in Firisbe systems, report it to security@firisbe.com so we can validate, prioritize, and remediate it through a coordinated process.

Document Scope

This policy describes how external researchers, partners, customers, and users can report suspected security vulnerabilities to Firisbe.

It applies to Firisbe websites, portals, mobile applications, APIs, SDKs, payment infrastructure, documentation surfaces, and related digital services that are operated by or on behalf of Firisbe.

Report a Vulnerability

If you identify a suspected vulnerability, send your report to security@firisbe.com. This is the primary reporting channel for security issues.

Please avoid sending sensitive personal data, live payment data, production secrets, or exploit material that is not necessary to validate the finding.

Primary contact

security@firisbe.com

security.txt

The canonical file is available at /.well-known/security.txt.

PGP public key

A public key file can be published at /security-pgp-key.txt. Until the real key is published, request encrypted handling through security@firisbe.com.

Languages

Firisbe accepts vulnerability reports in English or Turkish.

What to Include

A clear, reproducible report helps us validate the issue quickly and route it to the right owner.

Affected surface

Product, service, domain, API endpoint, mobile application, SDK version, or environment.

Impact

What an attacker could access, modify, disrupt, bypass, or infer if the issue were exploited.

Reproduction steps

Exact steps, requests, screenshots, logs, or proof-of-concept details needed to reproduce the behavior safely.

Researcher contact

A reply address and optional name or organization so we can ask follow-up questions and provide updates.

Responsible Testing Rules

Research must be limited, controlled, and designed to demonstrate the issue without creating operational, legal, privacy, or payment-system risk.

Use minimum access

Access only what is necessary to verify the vulnerability. Do not view, alter, store, or exfiltrate unrelated data.

Avoid disruption

Do not run denial-of-service tests, load tests, destructive automation, social engineering, spam, or phishing.

Protect secrets and data

Do not disclose credentials, tokens, cardholder data, personal data, or confidential information to third parties.

Coordinate before disclosure

Do not publicly disclose the issue before Firisbe has investigated and remediated it, unless we agree otherwise in writing.

Out-of-Scope Activity

The following activity is not authorized under this policy and may be treated as misuse even if a vulnerability exists.

Availability attacks

DoS, DDoS, resource exhaustion, queue flooding, or tests that degrade service reliability.

Social engineering

Phishing, vishing, impersonation, physical access attempts, or coercion of Firisbe employees, customers, or partners.

Payment abuse

Fraud attempts, live transaction manipulation, card testing, bypassing payment controls, or use of real cardholder data.

Third-party systems

Systems not owned or operated by Firisbe, unless Firisbe explicitly authorizes testing in writing.

Firisbe Response Commitments

Firisbe reviews security reports in good faith, prioritizes issues by severity and operational impact, and works toward remediation through the appropriate engineering, product, compliance, or partner process.

Acknowledgement

We aim to acknowledge receipt within 5 business days.

Initial assessment

We aim to complete an initial triage within 10 business days where the report contains enough detail.

Progress updates

We provide updates when material status changes occur or when more information is needed.

Coordinated disclosure target

We generally work toward a 90-day coordinated disclosure window, adjusted for severity, dependencies, regulation, or payment-network obligations.

Safe Harbor

Firisbe does not intend to initiate legal action against researchers who act in good faith, comply with this policy, avoid privacy or service disruption, and report vulnerabilities promptly through the approved channel.

Safe harbor does not apply to extortion, fraud, data theft, public disclosure before coordination, persistence, malware, or activity that harms Firisbe, its customers, partners, users, or payment operations.

If you are unsure whether a test is allowed, contact security@firisbe.com before proceeding.

Recognition

Firisbe may thank researchers who submit valid, previously unknown vulnerabilities and follow this policy. Recognition is optional and depends on researcher consent, issue validity, and applicable confidentiality obligations.

Firisbe does not currently operate a public bug bounty program. No monetary reward is promised unless Firisbe separately agrees in writing.

Policy Updates

Firisbe may update this policy as products, security processes, certification requirements, or reporting channels change. The latest policy is published on this page, and the canonical security.txt file points to the current policy URL.

REPORT SECURELY

Found a vulnerability? Email the security team.

Send the affected surface, impact, reproduction steps, and contact details to security@firisbe.com. Keep testing limited and do not disclose publicly before coordination.

Email security@firisbe.comView security.txt