Responsible Disclosure Policy

At Flanks, we take the security of our systems and our customers' data seriously. We value the work of security researchers who help us maintain a high security standard.

Scope

The following assets are in scope:

• *.flanks.io (web applications and APIs)

The following are explicitly out of scope:

• Social engineering (phishing, vishing)
• Denial of service (DoS/DDoS)
• Physical security attacks
• Third-party services and applications not owned by Flanks
• Automated scanning without prior coordination

Reporting a Vulnerability

If you believe you have found a security vulnerability, please report it to security@flanks.io with:

• A description of the vulnerability and its potential impact
• Steps to reproduce the issue
• Any supporting evidence (screenshots, logs, proof of concept)

What We Ask

• Allow reasonable time for us to investigate and address the issue before public disclosure.
• Make a good faith effort to avoid privacy violations, data destruction, and service disruption.
• Do not access or modify data belonging to other users

What We Commit To

• Acknowledging your report within 5 business days
• Providing an estimated timeline for resolution
• Keeping you informed of our progress
• Crediting you publicly (if desired) once the issue is resolved
  ‍

Safe Harbor

We will not take legal action against researchers who discover and report vulnerabilities in good faith and in compliance with this policy. We consider security research conducted in accordance with this policy to be authorized conduct.

Rewards

Flanks does not currently operate a paid bug bounty program. We offer public acknowledgment for confirmed, responsibly disclosed vulnerabilities.