Publicly available
Mandatory Review Period
Yearly
Date of Last Review
Februrary 23, 2024
A bug report/bounty policy clearly lays out how to make and how we address bug reports.
We've always tried to be as community oriented as we practically can be. We always appreciate a valid bug report but, our general policy is that we don't offer monetary or other rewards for bug reports.
Obviously we don't want to turn away assistance from people willing to take the time to find issues with our product or configurations. The current reality is, as a small, private company it isn't practical for us to pay bug bounties. We get a lot of reports that are valid but are either low risk or something we just don't have the people available to address immediately as we are trying to continue to improve and expand the product. All that being said, if your goal is to help us improve the offering we don't want to turn that help away.
- All bugs involving the open source aspects of our code should be submitted to the GitHub repository where the bug was found.
- All bugs involving networking, configurations, our website, etc., should be submitted to help@fontawesome.com.
- We do not offer monetary or other (swag) rewards for bug submissions.
- We will collect security bug reports and:
- If the issue was previously unknown AND
- Is determined by our head of security to have high enough risk, WE MAY
- Praise the work of the reporter on Twitter (if the reporter consents to having us release their Twitter handle and finding) and WE WILL
- Communicate the results of our investigation into the bug report with:
- The original reporter (if the reporter consents to having us release their Twitter handle and finding) AND
- Identify our plan and timeframe to mitigate the issue
- All determinations of risk are at the final discretion of the head of security.