company logo
Products
About us
Resources

Flow48 Responsible Disclosure Policy

Flow48 welcomes security researchers to help us maintain a secure environment for our users. We value the security community and believe that responsible disclosure of security vulnerabilities helps us ensure the security and privacy of our users.

Scope

The following systems and services are in scope for vulnerability reporting:

  • Flow48 web applications
  • Public-facing APIs
  • Authentication and authorization systems

Out of Scope

The following activities are explicitly excluded from our responsible disclosure program:

  • Social engineering attacks
  • Physical security testing
  • Denial of service (DoS/DDoS) attacks
  • Automated scanning without prior approval
  • Testing on production systems without explicit authorization
  • Any activity that could impact the availability of our services
  • Low-impact vulnerabilities (e.g., missing security headers, self-XSS, etc.)

Reporting Process

To report a security vulnerability, please email security@flow48.com with the following information:

  • Detailed description of the vulnerability
  • Steps to reproduce the issue
  • Impact assessment using CVSS scoring
  • CVE identifier (if available)
  • Any proof-of-concept code or screenshots
  • Your contact information
  • Any suggested remediation steps

Response SLA

  • Initial response: Within 3 business days
  • Follow-up: Within 10 business days

Vulnerability Classification

We use the Common Vulnerability Scoring System (CVSS) to assess the severity of reported vulnerabilities:

  • Critical (CVSS 9.0-10.0)
  • High (CVSS 7.0-8.9)
  • Medium (CVSS 4.0-6.9)
  • Low (CVSS 0.1-3.9)

Recognition

For valid reports, we offer:

  • A signed thank-you letter
  • Professional references (upon request)

Safe Harbor

We will not pursue legal action against security researchers who:

  • Follow our responsible disclosure guidelines
  • Make a good faith effort to avoid privacy violations
  • Do not exploit the vulnerability beyond what's necessary to demonstrate it
  • Do not impact the availability of our services Do not disclose the vulnerability
  • Do not disclose the vulnerability publicly before we've had time to fix it

Legal Considerations

By participating in our responsible disclosure program, you agree to:

  • Comply with all applicable laws and regulations
  • Not access or modify user data without explicit permission
  • Not perform any testing that could impact our services
  • Keep vulnerability details confidential until we've had time to fix them

Contact

For any questions about our responsible disclosure program, please contact Flow 48 email.