Security

Coordinated Vulnerability Disclosure

At Flexabits, we take the security of our users, systems, and data seriously. If you identify a potential security vulnerability in assets under our control, we appreciate responsible reporting under a coordinated vulnerability disclosure process.

Official Reporting Channel:

1. Minimum Report Requirements

To investigate efficiently, your report must include sufficient technical detail. We may not respond to generic messages such as “I found a vulnerability, reply for details” or reports without actionable information. Please do not include passwords, authentication tokens (cookies/JWT/API keys), payment data, or other users’ personal data in your report. Redact or truncate sensitive values and share only what is necessary to reproduce the issue.

Please include, at minimum:

  1. Affected assets: Exact FQDN/URL(s), endpoint(s), parameters.
  2. Technical description: What the issue is and why it is security-relevant.
  3. Reproduction steps: Clear, step-by-step instructions.
  4. Impact: What an attacker can achieve (e.g., account takeover, IDOR, XSS, SSRF, SQLi, auth bypass).
  5. Evidence: PoC, screenshots, request/response samples (headers + body), logs, timestamps (UTC).
  6. CVSS v3.1 estimate.
  7. Your name/handle for acknowledgements (optional).

Automated scanner reports:

  • Accepted only if they include reproducible validation and context. Theoretical or non-actionable findings may not be prioritized.

2. Scope

This policy applies to:

  • Flexabits.com and subdomains under Flexabits control.

Out of scope:

  • Third-party services where we do not control the infrastructure/security (payment processors, external vendors, integrations). This includes third-party platforms/services even if they are accessed via our domain (for example, embedded or vendor-hosted services).
  • Issues requiring social engineering (phishing), spam, or attacks against employees/users/vendors.
  • Findings dependent solely on end-user devices, browser extensions, or local configuration.
  • Low-impact “best practice” observations without a credible security impact.
  • If you are unsure whether something is in scope, report it with details and we will assess.

3. Testing Rules and Good-Faith Conduct

To protect our users and services, please adhere to the following:

Not permitted:

  • DoS/DDoS, stress testing, aggressive scanning, or any activity that degrades availability.
  • Accessing, exfiltrating, modifying, or destroying other users’ data.
  • Persistence, lateral movement, or privilege escalation beyond what is strictly necessary to demonstrate impact.
  • Accessing accounts/resources that do not belong to you.
  • Extortion, threats, ransom demands, or conditioning disclosure on payment/benefits.

Permitted in good faith:

  • Minimal, non-disruptive testing to validate the issue.
  • Stopping immediately if you encounter unintended access to real user data and reporting it promptly.

4. Our Handling Process

  • Acknowledgement: Target within 72 business hours.
  • Triage: Validation, severity/impact assessment, and prioritization.
  • Remediation: Fixes are scheduled based on risk and complexity.
    • Where feasible, we will share status updates and closure.
    • Timelines may vary depending on complexity, dependencies, and the quality of the report.

5. Safe Harbor

To the extent permitted by law, if you act in good faith, remain within scope, and follow this policy (without harming users, data, or service availability), Flexabits will consider your security research authorized under this policy and will not initiate legal action for activities strictly necessary to identify and report the vulnerability. This does not apply to: abuse, intentional access to third-party data, service disruption, extortion, threats, social engineering, or any out-of-scope activity.

6. Public Disclosure

Please do not publicly disclose technical details until:

  • The issue has been remediated/mitigated, or
  • we mutually agree on a reasonable coordinated disclosure timeline.
  • If you plan to publish a write-up, please coordinate with us and wait until remediation is deployed (or a mutually agreed disclosure date).

7. Rewards

Flexabits does not currently operate a bug bounty or rewards program. Valid, high-quality reports may be recognized in our acknowledgements at our discretion.

8. Acknowledgements

We thank the security community members who help improve Flexabits security.
To be listed here, include your preferred name/handle in your report.

  • Hall of Fame:
    • Be the first!

9. Reputation

🔥 MOST POPULAR CONTENT

Ultimate Habit Tracker - Google Sheets Tutorial for Building Daily Habits
Ultimate Habit Tracker