Floynk logo

Vulnerability Reporting

Responsible vulnerability disclosure policy for Floynk services

Probeer Gratis

Vulnerability Reporting

Effective Date: January 1, 2025

Floynk B.V. ("Floynk", "we", "us", "our") takes the security of our systems and services seriously. This Responsible Vulnerability Disclosure Policy outlines how security researchers and users can report security vulnerabilities in our systems.

1. Our Commitment to Security

We are committed to:

  • Protecting our users' data and privacy
  • Maintaining secure and reliable services
  • Working with the security community to improve our security posture
  • Responding promptly and transparently to security reports

2. Scope

This policy applies to security vulnerabilities in:

2.1 In-Scope Systems

  • Main Website: www.floynk.com
  • Application Platform: app.floynk.com
  • API Endpoints: api.floynk.com
  • Subdomain Services: *.floynk.com
  • Mobile Applications: Floynk mobile apps (iOS and Android)

2.2 In-Scope Vulnerability Types

  • Cross-Site Scripting (XSS)
  • Cross-Site Request Forgery (CSRF)
  • SQL Injection and other injection vulnerabilities
  • Authentication and authorization flaws
  • Remote code execution vulnerabilities
  • Server-side request forgery (SSRF)
  • Directory traversal and file inclusion vulnerabilities
  • Business logic vulnerabilities
  • Data exposure and privacy vulnerabilities
  • Cryptographic vulnerabilities

2.3 Out-of-Scope Systems

  • Third-party services and integrations not owned by Floynk
  • Services provided by our hosting providers
  • Social engineering attacks
  • Physical attacks against Floynk offices or employees
  • Attacks requiring physical access to user devices

2.4 Out-of-Scope Vulnerability Types

  • Issues that require unlikely user interaction
  • Self-XSS that cannot affect other users
  • Reports from automated scanners without manual verification
  • Issues affecting outdated browsers or operating systems
  • Rate limiting issues (unless they lead to resource exhaustion)
  • Issues requiring root/administrator privileges
  • Open ports without an accompanying proof of concept
  • Reports based on best practices without demonstrable security impact

3. Responsible Disclosure Guidelines

3.1 Research Ethics

Security researchers should:

  • Only test against their own accounts or with explicit permission
  • Not access, modify, or delete other users' data
  • Not disrupt our services or degrade user experience
  • Not perform testing on production systems that could cause harm
  • Respect user privacy and data protection laws

3.2 Testing Limitations

Please avoid:

  • Social engineering attacks against Floynk employees or users
  • Physical attacks or attempts to access Floynk facilities
  • Denial of service (DoS) or distributed denial of service (DDoS) attacks
  • Automated scanning that generates excessive traffic
  • Testing third-party applications integrated with our services

3.3 Data Handling

If your research involves accessing personal data:

  • Minimize data access and collection
  • Do not download, store, or share personal data
  • Report the vulnerability immediately
  • Delete any accidentally accessed data

4. How to Report a Vulnerability

4.1 Preferred Reporting Methods

Email: security@floynk.com

  • Use PGP encryption if possible (public key available on our website)
  • Include detailed technical information
  • Provide proof of concept when appropriate

Security Portal: Secure reporting form on our website

  • Guided form for structured vulnerability reporting
  • Secure file upload for screenshots and proof of concept

4.2 Required Information

Please include the following in your report:

  • Vulnerability Type: Category and description of the vulnerability
  • Affected System: Specific URLs, endpoints, or applications
  • Impact Assessment: Potential impact and affected users
  • Technical Details: Steps to reproduce the vulnerability
  • Proof of Concept: Demonstration code, screenshots, or videos
  • Your Information: Contact details for follow-up communication

4.3 Report Template

Title: [Brief description of the vulnerability]

Summary:
[Brief description of the vulnerability and its impact]

Affected System:
[URL, endpoint, or application affected]

Vulnerability Details:
[Technical explanation of the vulnerability]

Steps to Reproduce:
1. [Step by step instructions]
2. [Include all necessary details]
3. [Provide expected vs actual results]

Impact:
[Description of potential impact and affected users]

Proof of Concept:
[Code, screenshots, or other evidence]

Suggested Fix:
[Optional: Your recommendations for fixing the issue]

Contact Information:
[Your name and preferred contact method]

5. Our Response Process

5.1 Acknowledgment

  • We will acknowledge receipt of your report within 48 hours
  • You will receive a unique identifier for tracking your report
  • We will provide an initial assessment of the report's validity

5.2 Investigation Timeline

  • Initial Triage: Within 5 business days
  • Detailed Analysis: Within 10 business days for valid reports
  • Resolution Timeline: Varies based on complexity and severity
  • Progress Updates: Regular updates throughout the investigation

5.3 Communication

  • All communication will be handled through secure channels
  • We will keep you informed of our progress
  • We may request additional information or clarification
  • We will notify you when the issue has been resolved

6. Vulnerability Assessment

6.1 Severity Levels

Critical

  • Remote code execution vulnerabilities
  • Authentication bypass affecting multiple users
  • Data exposure of sensitive personal information
  • Timeline: Fix within 7 days, disclosure in 30 days

High

  • Privilege escalation vulnerabilities
  • SQL injection with data access
  • XSS affecting sensitive functionality
  • Timeline: Fix within 14 days, disclosure in 60 days

Medium

  • Authentication flaws with limited impact
  • Business logic vulnerabilities
  • Information disclosure with moderate impact
  • Timeline: Fix within 30 days, disclosure in 90 days

Low

  • Minor information disclosure
  • Configuration issues with minimal impact
  • Timeline: Fix within 60 days, disclosure in 120 days

6.2 Impact Assessment Factors

  • Number of affected users
  • Type and sensitivity of exposed data
  • Ease of exploitation
  • Potential for automation
  • Business impact and reputation risk

7. Recognition Program

7.1 Security Hall of Fame

We maintain a Security Hall of Fame recognizing researchers who:

  • Report valid security vulnerabilities
  • Follow our responsible disclosure guidelines
  • Contribute to improving our security posture

7.2 Recognition Criteria

  • Vulnerability must be in scope and valid
  • Report must follow disclosure guidelines
  • Researcher must agree to public recognition

7.3 Bug Bounty Program

Currently, we do not offer monetary rewards but we are considering implementing a bug bounty program in the future. Researchers will be notified of any changes to our recognition program.

8. Coordinated Disclosure

8.1 Disclosure Timeline

  • We prefer a 90-day disclosure timeline from initial report
  • Earlier disclosure may be agreed upon for lower-severity issues
  • Extensions may be requested for complex issues requiring significant development work

8.2 Public Disclosure

  • Vulnerabilities will be disclosed after fixes are deployed
  • We will work with reporters on disclosure content and timing
  • Credit will be given to researchers (with their permission)

8.3 Security Advisories

For significant vulnerabilities, we will:

  • Publish security advisories on our website
  • Notify affected customers directly
  • Provide mitigation guidance and patches
  • Work with industry partners as appropriate

9. Legal Considerations

9.1 Safe Harbor

We will not pursue legal action against security researchers who:

  • Follow this responsible disclosure policy
  • Act in good faith
  • Do not violate applicable laws
  • Do not harm our users or systems

9.2 Scope Limitations

This policy does not authorize:

  • Testing against systems not owned by Floynk
  • Accessing other users' data without permission
  • Violating applicable laws or regulations
  • Social engineering or physical attacks

10. Contact Information

10.1 Security Team

Primary Contact: security@floynk.com
Response Team: security-team@floynk.com
PGP Key: Available at https://www.floynk.com/.well-known/pgp-key.asc

10.2 Business Contact

Floynk B.V.
Email: legal@floynk.com
Address: Company Address
Netherlands

10.3 Emergency Contact

For critical vulnerabilities requiring immediate attention:

11. Frequently Asked Questions

11.1 What if I find a vulnerability in a third-party service?

Please report it directly to the affected vendor. We appreciate being informed if the vulnerability affects our users.

11.2 Can I test in production?

Limited testing is acceptable if it doesn't affect other users or disrupt services. Use test accounts when possible.

11.3 What about vulnerabilities in open source components?

Please report these to the upstream maintainers and inform us if they affect our services.

11.4 Will my report be kept confidential?

Yes, all reports are treated confidentially until public disclosure is agreed upon.

12. Updates to This Policy

This policy may be updated to reflect:

  • Changes in our systems and services
  • Improvements in our security processes
  • Feedback from the security community
  • Changes in legal or regulatory requirements

Updates will be posted on our website with the effective date clearly marked.

13. Thank You

We appreciate the security community's efforts in helping us maintain secure services. Your research and responsible disclosure help protect our users and improve our security posture.

Last updated: January 1, 2025