Bug Bounty Program

FlowHunt aims to keep its service safe for everyone, and data security is of utmost importance. If you are a security researcher and have discovered a security vulnerability in the Service, we appreciate your help in disclosing it to us privately and giving us an opportunity to fix it before publishing technical details.

FlowHunt will engage with security researchers when vulnerabilities are reported to us as described here. We will validate, respond, and fix vulnerabilities in support of our commitment to security and privacy. We won’t take legal action against, suspend, or terminate access to the Service of those who discover and report security vulnerabilities responsibly. FlowHunt reserves all of its legal rights in the event of any noncompliance.

Eligibility

To be eligible for our bug bounty program, you must:

• Be at least 18 years old
• Not be a current or former FlowHunt employee, contractor, or immediate family member
• Not be subject to US sanctions or reside in a US embargoed country
• Comply with all applicable laws and regulations
• Follow responsible disclosure practices

Reporting

Share the details of any suspected vulnerabilities with the FlowHunt Security Team at support@flowhunt.io . Please do not publicly disclose these details outside of this process without explicit permission.

Report Quality Requirements

Your vulnerability report should include:

• Summary: Brief description of the vulnerability
• Impact: Potential security impact and business risk
• Steps to Reproduce: Detailed, step-by-step instructions
• Proof of Concept: Evidence demonstrating the vulnerability
• Affected Assets: Specific URLs, parameters, or components
• Severity Assessment: Your assessment of the severity level
• Mitigation Suggestions: Recommended fixes (optional)

If you want to submit multiple reports at once, please submit only one report (the most important if possible) and wait for a response.

Response Timeline

• Acknowledgment: Within 5 business days of report submission
• Initial Assessment: Within 10 business days
• Resolution Target: Within 90 days for valid vulnerabilities
• Updates: Regular status updates throughout the process

Compensation

We are pleased to offer a bounty for vulnerability information that helps us protect our customers as a thanks to the security researchers who choose to participate in our bug bounty program.

Severity Classification

Critical Severity ($100):

• Remote code execution
• SQL injection leading to data access
• Authentication bypass affecting multiple users
• Privilege escalation to admin level
• Complete account takeover

Medium Severity ($50):

• Cross-site scripting (XSS) with significant impact
• Access control bypass affecting limited data
• Directory traversal with file access
• Session management vulnerabilities
• Broken authentication affecting single users

Low Severity (Not eligible for payout):

• Minor information disclosure
• Self-XSS with no realistic attack vector
• Rate limiting issues
• Missing security headers with no exploitable impact

Payment Terms

• Bounties are paid exclusively via PayPal
• Bug bounty hunters must generate and send a PayPal invoice
• No other payment methods are available
• Payment processing within 30 days of invoice receipt
• All payments subject to applicable tax regulations

We will only reward the first reporter of a vulnerability. Any duplicate reports will not be rewarded.

Scope

In Scope

You may only test against a FlowHunt Account for which you are the Account Owner or an Agent authorized by the Account Owner to conduct such testing. For example: yourdomain.flowhunt.io

Eligible Assets:

• *.flowhunt.io domains and subdomains
• FlowHunt web applications and APIs
• FlowHunt mobile applications (if applicable)

Eligible Vulnerability Types:

• Remote Command Execution (RCE)
• SQL Injection
• Broken Authentication
• Broken Session Management
• Access Control Bypass
• Cross-Site Scripting (XSS)
• Open URL Redirection
• Directory Traversal
• Server-Side Request Forgery (SSRF)
• Business Logic Flaws

Out of Scope

Prohibited Activities:

• Social engineering attacks (phishing, vishing, etc.)
• Physical attacks or physical access to FlowHunt facilities
• Denial of Service (DoS) or Distributed Denial of Service (DDoS) attacks
• Spam, bulk communications, or automated tools against our systems
• Network-level attacks or infrastructure scanning
• Attacks requiring physical access to user devices
• Brute force attacks or password cracking
• Testing on accounts you don’t own or have explicit permission to test

Non-Eligible Findings:

• Reports of when an attacker can only threaten their own account
• XSS caused by an Admin or privileged user
• Vulnerabilities requiring unlikely user interaction
• Issues that require user to install malicious software
• Theoretical vulnerabilities without clear exploitation path
• Content spoofing without security impact
• Missing rate limiting without demonstrable impact
• Issues affecting only outdated browsers or platforms

Program Rules

Testing Guidelines

• Only test on accounts you own or have explicit permission to test
• Do not access, modify, or delete data belonging to other users
• Do not disrupt our services or degrade performance
• Limit automated testing to prevent service disruption
• Do not publicly disclose vulnerabilities before they are fixed
• Make a good faith effort to avoid privacy violations and destruction of data

Safe Harbor & Legal Protection

FlowHunt commits to:

• Not pursue legal action against researchers who comply with this policy
• Work with researchers to understand and validate security issues
• Recognize valid contributions to our security
• Maintain confidentiality and not share researcher identity without permission

Researchers must:

• Follow all applicable laws and regulations
• Only access data necessary to demonstrate the vulnerability
• Report vulnerabilities promptly and in good faith
• Not exploit vulnerabilities beyond what is necessary for demonstration

Disclosure Timeline

• Immediate: Report submitted to support@flowhunt.io
• 90 days: Standard disclosure timeline after initial report
• Coordinated: Public disclosure only after mutual agreement
• Emergency: Critical vulnerabilities may have accelerated timelines

Researchers may publicly disclose vulnerabilities 90 days after initial report, or after FlowHunt confirms the issue is resolved, whichever comes first. We encourage coordinated disclosure and will work with researchers on appropriate timing.