FMC Trading & Logistics Co. Ltd.
Headquartered in Hong Kong
Vulnerability Disclosure Policy
Last updated: July 2026
This version takes effect on the date above.
1. Introduction
FMC Trading & Logistics Co. Ltd. (“FMC”) takes the security of its systems seriously and welcomes reports of potential vulnerabilities in this website. This policy explains how to report a vulnerability and what to expect from us.
2. Scope
This policy applies to security vulnerabilities discovered in the public FMC website at www.fmc.hk (and the apex fmc.hk) and its associated public endpoints.
The following are out of scope:
- denial-of-service (DoS/DDoS) or volumetric testing;
- social engineering of FMC staff, customers, or vendors;
- physical attacks;
- automated scanning that degrades service;
- reports relating to third-party services or infrastructure not operated by FMC;
- non-security issues (for example cosmetic bugs or best-practice suggestions without a demonstrable security impact).
3. How to Report
Please email security@fmc.hk with:
- a clear description of the vulnerability and its potential impact;
- the steps required to reproduce it (a proof-of-concept is helpful);
- the affected URL(s) or component(s).
Please do not include the real personal data of third parties in your report.
4. Guidelines for Researchers
When investigating, please act in good faith and:
- only interact with accounts and data you own or have explicit permission to test;
- do not access, modify, delete, or exfiltrate data beyond the minimum necessary to demonstrate the issue;
- do not disrupt or degrade our services (no denial-of-service, spam, brute-forcing, or automated high-volume testing);
- do not use social-engineering, phishing, or physical techniques;
- respect the privacy of others, and stop testing and notify us immediately if you encounter any personal data;
- give us a reasonable opportunity to remediate before disclosing the issue publicly.
5. Safe Harbor
FMC considers security research and vulnerability disclosure conducted in good faith and in accordance with this policy to be authorized. We will not pursue or support legal action against researchers for accidental, good-faith violations of this policy, and will work with you to understand and resolve the issue quickly. This does not authorize actions that are inconsistent with the guidelines above or with applicable law.
6. Our Commitment
When you submit a report in line with this policy, we will:
- acknowledge receipt within five (5) business days;
- work to validate and remediate confirmed vulnerabilities in a timely manner;
- keep you informed of our progress where appropriate;
- credit you for your discovery if you wish, once the issue is resolved.
7. Recognition
FMC does not operate a paid bug-bounty programme at this time. We are, however, grateful for responsible disclosures and are happy to acknowledge researchers who help keep our systems and users safe.
8. Changes to This Policy
We may update this policy from time to time; the current version is always available on this page.
9. Contact
Security reports: security@fmc.hk. This policy is also referenced from our machine-readable security.txt.