We just released the next major update for Federacy: 1.8!

This release includes Assessments, 2FA, and a number of quality of life improvements.


We've been asked many times for a pentest or security review before launching a bug bounty program, or when a customer launches new products or features. Assessments seek to answer this need.

Assessments involve several hand-picked researchers following the OWASP Application Security Verification Standard (ASVS) Level 1, which encompasses 231 separate tests. We collate their results and report them to you with remediation advice, then validate the fixes to provide a clean bill of health.

Example of an assessment summary page

Info tab and optional awards

We've been working to make our vulnerability disclosure programs more informative and versatile, so we've added an optional Info tab, where companies can provide more context for their bug bounty programs. This section supports markdown, similar to our VDP tab.

Introduce researchers to your program via the Info tab.

We've also made the Awards tab optional for vulnerability disclosure programs that have opted out of offering bug bounties and added a Report tab for Assessment programs.


Because account security is very important to us, we've added multi-factor authentication functionality, utilizing a time-based, one-time password algorithm (TOTP).

Set up two-factor authentication from your Account page.

Additional closed statuses

We've split the closed status into three separate states. Resolved is equivalent to our previous closed state, rejected is for reports that are out-of-scope or invalid, and informative is for reports that are helpful, but don't result in security improvements.

Additional report status filters

Report comment box

Due to one of the more confusing aspects of our design, we've had numerous users accidentally comment to their team instead of the intended researcher about their report. To resolve this UX issue, we've changed the default action to researcher-focused communication and visually distinguished the different comment types.

The light blue background differentiates team comments.