If you believe you have found a security vulnerability on Flox.io, we
encourage you to let us know right away. We will investigate all legitimate
reports and do our best to quickly fix the problem. Before reporting though,
please review this page including our responsible disclosure policy, reward
guidelines, and those things that should not be reported.
Flox is a small company primarily made up of software developers and
engineers, many of whom have done penetration testing in a professional
atmosphere previously. We understand the urgency, and desire for immediate
response and resolution. We are a small team trying to do big things. We try
our best to be communicative. Someone is reading through every issue, and will
reply as soon as they are able.
Harassing messages (about disclosure, bounties, timing, amounts, etc...) will
disqualify you from our bounty program. You deserve to be compensated for your
responsible disclosure, and we reserve the right to decide the amounts based
on severity, creativity, communication, and overall pleasure derived from
working with you.
Responsible Disclosure Policy
If you give us reasonable time to respond to your report before making any
information public, and make a good faith effort to avoid privacy violations,
destruction of data, and interruption or degradation of our service during
your research, we will not bring any lawsuit against you or ask law
enforcement to investigate you.
To show our appreciation for our security researchers, we offer a monetary
bounty for certain qualifying security bugs. Here is how it works:
To qualify for a bounty, you must:
- Adhere to our Responsible Disclosure Policy (above)
- Be the first person to responsibly disclose the bug
- Report a bug that could compromise the integrity of user data, circumvent the privacy protections of user data, or enable access to a system within our infrastructure, such as:
- Cross-Site Scripting (XSS)
- Cross-Site Request Forgery (CSRF/XSRF)
- Broken Authentication
- Circumvention of our Platform/Privacy permission models
- Remote Code Execution
- Privilege Escalation
- Provisioning Errors
- Report a bug in flox.io or one of the following qualifying projects & products:
- Make every effort to use a test account instead of a real account when investigating bugs (if you are unable to reproduce a bug with a test account, it is acceptable to use a real account, except for automated testing
- Not interact with other accounts without the consent of their owners
- Not reside in a country under any current U.S. Sanctions (e.g., North Korea, Libya, Cuba, etc.)
- Bounties are awarded at the discretion of our bug bounty team
- Our minimum reward is $25 USD
- There is no maximum reward: each bounty is based on severity, creativity, communication quality, and overall experience
- Only one bounty per security bug will be awarded
- We only pay individuals
Attributes of a Good Report
- Detailed steps in your message explaining how to reproduce the bug. This should include any links you clicked on, pages you visited, URLs, user IDs, etc. Images and video can be helpful if you also include written explanations.
- Clear descriptions of any accounts used in your report and the relationships between them. Please do not use the same name on multiple accounts to avoid confusion.
- Quality before quantity. Many of our highest-paid reports had just a few lines of precise, clear explanations.
- If you send a video, consider these tips:
- Keep it short by showing only the parts necessary to demonstrate the bug once. (Remove or redo mistakes that might happen while recording.)
- Record at a resolution where text or URLs are readable (at least 480p; 1080p is usually not necessary.)
- Provide commentary or instructions in your messages or video description instead of typing on-screen during the video.
- Setting Flox.io to English while recording steps helps us quickly identify what features you use.
- If a large amount of text appears in your video, please include a copy in your messages as well.
- Keep the video private either by uploading it as an attachment or posting it privately online (such as with a hidden link or password that you send to us.)
Ineligible Reports and False Positives
- User enumeration. Many of the platforms we use (WordPress, Piwik, Gitlab) provide their own bounties, and while we will happily contribute upstream patches, that is unlikely to result in a bounty for you.
- Denial-of-service attacks. No, seriously; stop trying to take us out, please.
- Security issues in third-party apps or websites that integrate with Flox.io. These are not managed by Flox and do not qualify under our guidelines for security testing.
- Open redirects. Any open redirects are likely intentional at this time.
- Note that public information also includes your username, vanity URLs, ID, name, current cover photo, gender, and anything you've shared publicly.
- Profile pictures available publicly. Your current profile picture is always considered public (regardless of size or resolution.)
- Spam or social engineering techniques.
- Content injection. Posting content on Flox.io is a core feature, and content injection (also "content spoofing" or "HTML injection") is ineligible unless you can clearly demonstrate a significant risk.
- Sending messages to anyone on Flox.io.
- Accessing photos via raw image URLs from our CDN.
- Executing scripts on sandboxed domains.