Report a security vulnerability.
Use this page to report a suspected vulnerability affecting Fig Group systems. We review good-faith reports and will contact you if we need further detail.
Send enough detail for our team to reproduce the issue.
Include affected URLs, the type of issue, reproduction steps, and the likely impact. Please do not submit secrets, customer data, passwords, tokens, or full data extracts.
Stay within scope
Test only Fig systems you are authorised to access and only as far as needed to demonstrate the issue.
Protect data
Do not extract, retain, disclose, or modify customer data, credentials, tokens, or personal information.
Avoid disruption
Do not perform denial-of-service testing, spam, social engineering, physical testing, or noisy automated scanning.
Report promptly
Submit enough detail for us to reproduce the issue, then give our team reasonable time to investigate.
What to report here.
Reports should relate to Fig Group websites, public forms, forms proxy endpoints, or customer-facing Fig systems. For unrelated abuse, sales, support, or certification queries, use the standard contact page instead.
In scope
Authentication, access control, data exposure, injection, cross-site scripting, configuration, or business logic weaknesses affecting Fig systems.
Out of scope
Spam, social engineering, physical testing, denial-of-service testing, credential stuffing, and automated scanning that degrades service.