- handbook
- Company
- Company
- Board
- Communications
- Decision making
- Guides
- KPIs and OKRs
- principles
- Remote Work
- Security
- Asset Management Policy
- Business Continuity & Disaster Recovery Policy
- Data Management Policy
- Information Security Roles and Responsibilities
- Operations Security Policy
- Risk Management Policy
- Third-Party Risk Management Policy
- Human Resources Security Policy
- Access Control Policy
- Incident Response Plan
- Cryptography Policy
- Information Security Policy and Acceptable Use Policy
- Secure Development Policy
- strategy
- values
- Operations
- Product
- Feedback
- Market Segments
- Metrics
- Node-RED Dashboard
- personas
- Pricing Principles
- Principles
- Responsibilities
- Strategy
- Versioning
- Customer department
- Customer
- Hubspot
- Marketing
- How we work
- Marketing
- Video
- Boiler Plate Descriptions
- Customer Stories
- Webinars
- Social Media
- blog
- Marketing - Website
- Sales
- Engineering & Design Practices
- Design
- Engineering
- contributing
- Front End
- Packaging Guidelines
- Platform Ops
- Deployment
- Incident Response
- Observability
- Production Environment
- Staging Environment
- FlowFuse Dedicated
- Project Management
- Releases
- Security Policy
- tools
- Internal Operations
- People Ops
# Security Reporting Policy
This policy relates to external disclosures of potential vulnerabilities in the FlowFuse platform and associated components.
Our internal Incident Response plan is documented here.
We recognise the benefit of 3rd party security researchers looking for potential vulnerabilities in our application (https://app.flowfuse.com). However we ask researchers to do so responsibly.
Please make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.
Please refrain from:
- Denial of service live/running services
- Spamming
- Social engineering (including phishing) of FlowFuse staff or contractors
Out of scope assets:
- The marketing website (https://flowfuse.com - forms, chat, etc)
- The dashboard documentation (https://dashboard.flowfuse.com)
- The community forum (https://community.flowfuse.com/)
# Reporting a Vulnerability
Please report any vulnerabilities discovered in FlowFuse products to security@flowfuse.com. Reports must meet our reporting requirements otherwise they will be rejected.
# Reporting Requirements
We will evaluate all submissions made in good faith, however we do require a minimum set of information to be included for a report to be considered. This is intended to discourage spam submissions as they do not benefit anyone involved.
- Time/date (UTC) the issue was discovered
- Username/email of any users involved with the issue
- URLs involved in the issue; simply providing the home url of our website is not sufficient
The more concrete information that can be provided in the initial issue report, the quicker we will be able to evaluate it.
We reserve the right to reject any submission that fails to provide sufficient details. We will also record submissions that turn out to be invalid or lack supporting evidence. Where there becomes a pattern of such submissions from an individual, this will have a bearing on any future consideration of bug bounty rewards for genuine issues they submit.
# Bug Bounties
At our sole discretion, we may choose to reward a responsibly disclosed issue according to their severity, impact and quality of report.
We also consider a reporter's history of reporting issues. We will not reward someone who spams us in the hope that something sticks.
Multiple reports of the same issue manifesting in different ways will be treated as a single report.
# Ineligible vulnerability types
The following types of vulnerability are not eligible for any reward.
- Admin-initiated Stored XSS / HTML Injection - FlowFuse administrators are considered trusted users on the system. If an issue is only exploitable by administrators, then it is not eligible.
- Rate-limiting - We apply rate limiting across the whole FlowFuse platform API, with different limits applied based on the context of the API. We keep the limits under review to balance security and convenience. If an issue relates to rate-limiting, but is demonstrably within our configure rate-limits, then it will not be eligible.
# Payments
In the exceptional circumstances that we choose to reward a disclosure based on the criteria above you will be notified via the email used to submit the disclosure. If you have sent multiple reports we may choose to produce a combined response rather than reply to each email individually.
Rewards are paid in accordance with our vendor process.