Responsible Disclosure

Last Update: May 10, 2024

Reporting Security Vulnerabilities to FlexPay

FlexPay aims to keep its Services safe for everyone, and data security is of utmost priority. If you are a security researcher and have discovered a security vulnerability in the Services, we appreciate your help in disclosing it to us in a responsible manner.

When submitting a vulnerability, please adequately describe the attack scenario, the level of exploitability, the impact of the finding on FlexPay and/or FlexPay’s customers and users, and a detailed report with reproducible steps. If the report is not detailed enough to reproduce the issue, the issue will not be eligible for a reward.

The following are the program rules for responsible disclosure:

  • Accessing any customer data is always strictly prohibited.
  • Accessing any FlexPay internal data is always strictly prohibited.
  • Submit only one vulnerability at a time unless vulnerabilities are chained together to demonstrate impact.
  • When duplicate submissions occur, we award only the first reproducible report received.
  • Multiple vulnerabilities having a single underlying root cause will be awarded singularly.
  • Social engineering (e.g. phishing, vishing, smishing) is prohibited.
  • Privacy violations, destruction of data, and interruption of degradation of our service must be avoided. You must only use accounts you own or have the explicit permission of the account owner.
  • Results matching findings from SSL/TLS testing sites, Security Score sites, or similar will not be eligible for bounty.

Out of Scope Vulnerabilities and Exclusions

Known vulnerabilities are eligible for reward and may be marked as duplicates if the root cause aligns too closely with an already reported issue. FlexPay intends to award the maximum allowable bounty for every report.

The following issues are considered out of scope:

  • Clickjacking on pages with no sensitive actions.
  • Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions.
  • Previously known vulnerable libraries without a working Proof of Concept.
  • Any activity that could lead to the disruption of our service (DoS).
  • Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS.
  • Missing best practices in Content Security Policy.
  • Missing email best practices (for example, invalid, incomplete or missing SPF/DKIM/DMARC records).
  • Vulnerabilities affecting users of outdated or unpatched browsers.
  • Public Zero-day vulnerabilities that have had an official patch available for less than 1 month will be awarded on a case-by-case basis.
  • Open redirect (without additional security impact demonstrated).
  • Issues pertaining to FlexPay’s marketing website hosted on the root domain https://flexpay.io/

How to Submit a Vulnerability

To submit a vulnerability report to FlexPay’s Product Security Team, please utilize the following email [email protected]

Preference, Prioritization, and Acceptance Criteria

We will use the criteria from the next sections to prioritize and triage submissions.

What we would like to see from you:

  • Well-written reports in English will have a higher probability of resolution.
  • Reports that include proof-of-concept code equip us to better triage.
  • Reports that include only crash dumps or other automated tool output may receive lower priority.
  • Reports that include products not on the initial scope list may receive lower priority.
  • Please include how you found the bug, the impact, and any potential remediation.
  • Please include any plans or intentions for public disclosure.

What you can expect from FlexPay:

  • A timely response to your email.
  • After triage, we will send an expected timeline, and commit to being as transparent as possible about the remediation timeline as well as on issues or challenges that may extend it.
  • An open dialog to discuss issues.
  • Notification when the vulnerability analysis has completed each stage of our review.
  • Credit after the vulnerability has been validated and fixed.

If we are unable to resolve communication issues or other problems, FlexPay may bring in a neutral third party to assist in determining how best to handle the vulnerability.

FlexPay’s full responsible disclosure process is currently available by request within our Trust Center.