Log inSign up

Responsible Disclosure

At Flows, we care deeply about the safety and security of our customers' data. We greatly value reports from our community that help us detect vulnerabilities in our product and services.

How to report an issue

If you have discovered an issue or vulnerability that is in-scope (see below), please send an email to security@flows.sh with the following details.

  • A summary of the vulnerability and potential impact
  • Steps to reproduce the issue, including screenshots
  • Details of your environment including OS, browser, and device details
  • If possible, proof-of-concept code to exploit the vulnerability

Upon receiving your email, our team will conduct an investigation. We will update you on our progress, and may request further details, or re-testing if needed.

All original reports will be considered, and bounties may be issued at our sole discretion.

In scope

  • https://flows.sh
  • https://app.flows.sh
  • https://api.flows-cloud.com
  • Flows SDKs
  • Vulnerabilities which apply to customers' implementations. Do not attempt to reproduce or exploit these vulnerabilities on customer implementations without express permission and communication from the customer and Flows teams.

Out of scope

  • Automated scanning
  • Social engineering, particularly involving Flows employees
  • Missing or insufficient rate limiting
  • Missing headers in responses, except in cases where material harm or exploitation is evident
  • Brute force attacks
  • DDoS attacks
  • Clickjacking on pages with no sensitive actions
  • Theoretical attacks without proof of exploitability
  • Attacks requiring physical access to a victim's device
  • Attacks requiring intercepting of a valid user's network traffic
  • Denial of service attacks

We kindly ask you

  • Test the vulnerability on your own account. If testing on another account, make sure to have requested explicit permission
  • Do not copy or destroy production data
  • Do not engage in activities that will cause downtime for our services
  • Avoid violations of our privacy policies, terms of service, and other data privacy regulation
  • Do not make the vulnerability public before reporting it to us via the procedures above, and giving us enough time to properly address the issue

Report Format

  • Reports must be made to security@flows.sh
  • Reports must include a summary of the vulnerability and potential impact, including a calculated CVSS score and how you arrived at that score
  • Reports must include steps to reproduce the issue, including screenshots. Video-only recordings are insufficient
  • Reports must include details of your environment including OS, browser, and device details
  • Reports must include proof-of-concept code or any payloads used to exploit the vulnerability

Risk Assessment and Bounties

  • Risk assessment and bounties will be determined on a case-by-case basis by our security team, leveraging the CVSS v3 and v4 scoring system with internal knowledge of our systems to accurately inform the assessment
  • Previous bounty amounts, from Flows or other bug bounty programs, are not to be considered as precedent when determining bounty amounts
  • Bounty amounts and payments, if any, are determined at our sole discretion, and will be communicated to you via email

Happy hacking, from the Flows Team