Responsible Disclosure
FloeBase values the security research community. If you discover a vulnerability in our platform, we ask that you report it responsibly. We commit to acknowledging your report, providing timely updates, and recognizing your contribution.
How to Report
Send vulnerability reports to our security team. Please include:
- Description of the vulnerability and affected components
- Steps to reproduce (screenshots or proof-of-concept if possible)
- Potential impact and suggested remediation
- Your contact information for follow-up
Response Commitment
- Acknowledgment: Initial response within 2 business days
- Triage: Assessment and validity determination within 5 business days
- Resolution: Remediation timeline communicated based on severity
- Acknowledgments: We recognize researchers who help us improve security (with your permission)
In Scope
We welcome reports for the following areas:
- FloeBase web application and API endpoints
- Authentication, authorization, and session handling flaws
- SQL injection, XSS, CSRF, and similar web vulnerabilities
- Insecure direct object references and access control issues
- Sensitive data exposure (PHI, credentials, tokens)
- Server-side request forgery (SSRF) in our infrastructure
Out of Scope
The following are not eligible for this program:
- Social engineering or physical security attacks
- Denial-of-service (DoS) or resource exhaustion
- Vulnerabilities in third-party services outside our control
- Issues requiring physical access to a user's device
- Theoretical vulnerabilities without demonstrated impact
- Violations of our Terms of Service (e.g., unauthorized testing of customer data)
Safe Harbor
We will not pursue legal action or ask law enforcement to investigate researchers who make good-faith efforts to follow this policy. We expect that you will not access, modify, or exfiltrate customer data, disrupt our services, or violate applicable laws. We reserve the right to modify this policy and will honor the policy in effect at the time of your report.