FiveList

Vulnerability Disclosure Policy

Our commitment to security through responsible disclosure. Help us protect our users and community by reporting security vulnerabilities.

Effective: June 8th 2025
Last Updated: June 8th 2025

1Our Commitment to Security

Security First

FiveList takes security seriously. We appreciate the efforts of security researchers and the broader community in helping us maintain the highest security standards for our platform and users.

This Vulnerability Disclosure Policy (VDP) outlines our guidelines for responsible disclosure of security vulnerabilities in FiveList services, infrastructure, and related systems. We are committed to working with security researchers to verify and address reported vulnerabilities in a timely manner.

🛡️ Our Promise

  • • Acknowledge your research contribution
  • • Respond to valid reports promptly
  • • Coordinate disclosure responsibly
  • • Credit researchers (with permission)

🎯 Our Goals

  • • Protect our users' data and privacy
  • • Maintain service availability and integrity
  • • Foster responsible security research
  • • Continuously improve our security posture

2Scope and Coverage

This vulnerability disclosure policy applies to the following FiveList assets and services:

✅ In Scope

  • fivelist.app and all subdomains (*.fivelist.app)
  • • FiveList web application and dashboard interfaces
  • • FiveList Discord bot and integration systems
  • • FiveList API endpoints and services
  • • Mobile applications (if applicable)
  • • Public-facing infrastructure and services

❌ Out of Scope

  • • Third-party services and integrations (Discord, Stripe, etc.)
  • • User-generated content or community Discord servers
  • • Internal development, staging, or testing environments
  • • Physical security or social engineering attacks
  • • Denial of Service (DoS) or Distributed Denial of Service (DDoS) attacks
  • • Issues requiring physical access to FiveList infrastructure

Note on Third-Party Services:

If you discover vulnerabilities in third-party services we use (Discord, Stripe, etc.), please report them directly to those vendors through their respective vulnerability disclosure programs.

3Vulnerability Categories and Severity

We are particularly interested in the following types of security vulnerabilities:

🔴 Critical Severity

  • • Remote Code Execution (RCE)
  • • SQL Injection leading to data access
  • • Authentication bypass vulnerabilities
  • • Mass data exposure or leakage
  • • Payment system manipulation

🟠 High Severity

  • • Cross-Site Scripting (XSS) in sensitive areas
  • • Cross-Site Request Forgery (CSRF)
  • • Privilege escalation vulnerabilities
  • • Insecure Direct Object References (IDOR)
  • • Server-Side Request Forgery (SSRF)

🟡 Medium Severity

  • • Information disclosure vulnerabilities
  • • Business logic flaws
  • • Subdomain takeover vulnerabilities
  • • Configuration issues with security impact
  • • Rate limiting bypasses

🟢 Low Severity

  • • Content spoofing issues
  • • Cache poisoning (limited impact)
  • • Security misconfigurations
  • • Missing security headers
  • • Clickjacking vulnerabilities

Severity Assessment:

Severity levels are determined based on potential impact, exploitability, and the specific context within our application. We use industry-standard frameworks like CVSS 3.1 for assessment.

4How to Report a Vulnerability

Preferred Reporting Method

We prefer security vulnerability reports to be submitted through our Discord security channel. This ensures fastest response times and secure communication.

1

Join Our Security Discord

Join our Discord server at https://discord.gg/T9bAH5erft

Request access to the #security-reports channel by contacting a moderator or administrator.

2

Alternative: Email Report

For sensitive reports, you may email: security@fivelist.app

3

Include Required Information

  • Vulnerability Type: Category and potential impact
  • Affected Systems: URLs, endpoints, or specific components
  • Steps to Reproduce: Clear, step-by-step instructions
  • Proof of Concept: Screenshots, videos, or code samples
  • Impact Assessment: Your assessment of severity and business impact
  • Suggested Remediation: If you have recommendations

Report Quality Tips:

High-quality reports with clear reproduction steps and impact assessment help us respond faster and more effectively. Please avoid automated scanner reports without manual verification.

5Response Timeline and Process

We are committed to responding to security vulnerability reports in a timely manner:

Response Timeline

Initial Response

  • • Critical: Within 24 hours
  • • High: Within 48 hours
  • • Medium: Within 72 hours
  • • Low: Within 1 week

Resolution Target

  • • Critical: 7-14 days
  • • High: 14-30 days
  • • Medium: 30-60 days
  • • Low: 60-90 days

📋 Our Process

  1. Acknowledgment: We acknowledge receipt of your report
  2. Validation: Our security team verifies and reproduces the issue
  3. Assessment: We assess impact, severity, and develop remediation plan
  4. Remediation: We implement fixes and test thoroughly
  5. Disclosure: We coordinate public disclosure with the reporter
  6. Recognition: We provide credit to the researcher (if desired)

Communication:

We will keep you informed throughout the process and provide updates on our progress. We may request additional information or clarification during our investigation.

6Responsible Disclosure Guidelines

To ensure the safety of our users and the integrity of our systems, we ask that security researchers follow these guidelines:

✅ Do

  • • Report vulnerabilities privately through proper channels
  • • Provide detailed steps to reproduce the issue
  • • Use test accounts for research when possible
  • • Respect user privacy and data confidentiality
  • • Work with us on coordinated disclosure timing
  • • Delete any data obtained during testing

❌ Don't

  • • Access, modify, or delete user data
  • • Perform actions that could harm service availability
  • • Test against production systems unnecessarily
  • • Publicly disclose vulnerabilities before resolution
  • • Use social engineering or phishing attacks
  • • Violate any applicable laws or regulations

Legal Protection:

We will not pursue legal action against researchers who discover and report vulnerabilities in accordance with this policy, provided they follow responsible disclosure practices and comply with applicable laws.

7Recognition and Credits

We believe in recognizing the valuable contributions of security researchers who help improve our platform's security.

🏆 Recognition Options

  • • Public acknowledgment in our security advisories
  • • Credit in our Hall of Fame security researchers page
  • • Social media recognition (with your permission)
  • • Direct appreciation from our security team
  • • Swag and merchandise for significant findings

📜 Hall of Fame Criteria

  • • Report valid, previously unknown security vulnerabilities
  • • Follow responsible disclosure guidelines
  • • Provide clear reproduction steps and impact assessment
  • • Work constructively with our security team
  • • Consent to public recognition

Privacy Respect:

We will only provide public recognition with your explicit consent. If you prefer to remain anonymous, we will respect your privacy while still expressing our appreciation privately.

8Contact Information

For security vulnerability reports and related inquiries:

Discord (Primary):
https://discord.gg/T9bAH5erft

Join and request access to #security-reports for confidential vulnerability reporting.

Security Email:
security@fivelist.com

For sensitive reports. PGP encryption available upon request.