A vulnerability disclosure policy (VDP), also referred to as a responsible disclosure policy, describes how an organization will handle reports of vulnerabilities submitted by ethical hackers. A VDP must thus be easily identifiable via a simple way, a security.txt notice.

# Our security address in case of questions (not for security reports)
Contact: mailto:security@flo.health

# security.txt expiration date
Expires: 2026-01-30T22:00:00.000Z

# Preferred reporting language is English
Preferred-Languages: en

# Flo Health is using HackerOne platform for managing submissions and bounties.
# Our security policy is described below. Note that all reports, findings and submissions must go through this form, otherwise they will not be rewarded.
# Important: please carefully read the scope of the program before making a submission.
Policy: https://flo.health/responsible-vulnerability-disclosure-program