Vulnerability Disclosure
Security at Fuzze.rs
We build fuzzing infrastructure for security teams. We treat reports against our own platform with the same seriousness.
In scope
fuzze.rsand all subdomains we operate- The Fuzze.rs REST API (
/api/*) - Authentication, session handling, and account isolation between tenants
- Customer-data confidentiality (crashes, fuzz harnesses, corpora)
- Stripe webhook handling and billing-state integrity
Out of scope
- Findings in the open-source fuzzers (AFL++, libFuzzer, Honggfuzz, Centipede) themselves — please report upstream
- Self-XSS, clickjacking on pages without sensitive actions
- Best-practice security-header complaints with no exploit path
- Denial-of-service via volumetric request flooding
- Issues only reproducible on out-of-date browsers
How to report
Email [email protected] with:
- A clear reproduction (steps, request bodies, screenshots if relevant)
- An assessment of impact (what an attacker can achieve)
- Your preferred attribution name (or anonymous if you prefer)
We acknowledge every report within 48 hours and will keep you updated as the fix progresses.
Safe harbor
We will not pursue legal action for good-faith security research that:
- Does not access, modify, or destroy data belonging to other Fuzze.rs customers
- Does not cause material degradation to the service for other customers
- Reports findings privately via the contact above before any public disclosure
- Gives us a reasonable window (typically 90 days) to remediate before publication
We do not currently run a paid bug-bounty programme. We do publicly credit researchers (with their consent) on our changelog page when fixes ship.