Continuous Hacking to our technology | Fluid Attacks Help

Continuous Hacking to our technology


We have projects focused on hacking our software. It is essential for us to be an example of secure software. That's why our entire technology stack goes through a process of comprehensive Continuous Hacking.

All our development projects run Continuous Integration pipelines, including exploits and strict linters, to ensure that no known vulnerabilities are released to production.

Additionally, we run a bug bounty program to ensure the highest security and privacy of our websites. Everyone is eligible to participate in the bug bounty program, and people is encouraged to find and responsibly report vulnerabilities through a monetary award based on the impact of the vulnerability.

Vulnerability Response Process

  1. Researcher submits a report through any of the channels mentioned above.

  2. A Response Team is assigned, based on availability and the knowledge-set.

  3. Response Team responds to Researcher. and makes inquiries to satisfy any needed information and confirm if the report is indeed a vulnerability. If it is not a vulnerability, the Response Team communicates to Researcher why.

  4. A severity of the vulnerability is established based on its CVSS score.

  5. A confidential issue is created in Fluid Attacks' bug tracker, and prioritized according to its severity. 
    If appropriate, users are notified of the vulnerability including any steps for them to take, but without any details that could suggest an exploitation path.

  6. Appropriate patches are worked on locally by the Response Team.

  7. Patches are reviewed with the researcher.

  8. Vulnerability announcement is drafted and a release date if discussed.

  9. At the release date: the fix is deployed, and the vulnerability is announced at Fluid Attacks News, and through e-mail to the affected users if appropriate.

  10. The researcher is contacted and asked if they wish for credit.

  11. Internal Fluid Attacks meetings are held in order to analyze the incident and take any actions that can isolate our code base, prevent similar incidents, reduce future incidents, or improve future responses.