If you believe you have discovered a
security or privacy vulnerability that affects Fluix software,
services, or web servers, please report it to us.
Prior to reporting, please review our
responsible disclosure policy below.
Security is core to our values, and we value the input of
security professionals acting in good-faith
to help us maintain a high standard for the security and privacy for our users. This includes
encouraging responsible vulnerability research and disclosure. This policy sets out our definition
of good-faith in the context of finding and reporting vulnerabilities, as well as what you can
expect from us in return. When working with us according to this policy, you can expect us to:
- Extend Safe Harbor for your vulnerability research that is related to this
- Work with you to understand and validate your report, including a timely
initial response to the
- Work to remediate discovered vulnerabilities in a timely manner; and
- Recognize your contribution to improving our security if you are the first to
report a unique
vulnerability, and your report triggers a code or configuration change.
To encourage vulnerability research and to avoid any
confusion between legitimate research and
malicious attack, we ask that you attempt, in good faith, to:
- Play by the rules. This includes following this policy any other relevant
- Report any vulnerability you’ve discovered promptly;
- Avoid violating the privacy of others, disrupting our systems, destroying data,
- Use only the Official Channels to discuss vulnerability information with us;
- Handle the confidentiality of details of any discovered vulnerabilities
according to our
- Perform testing only on in-scope systems, and respect systems and activities
- If a vulnerability provides unintended access to data: Limit the amount of data
you access to
the minimum required for effectively demonstrating a Proof of Concept; and cease testing and
submit a report immediately if you encounter any user data during testing, such as Personally
Identifiable Information (PII), Personal Healthcare Information (PHI), credit card data, or
- You should only interact with test accounts you own or with explicit permission
from the account
- Do not engage in extortion.
- Do not perform any ‘denial of service’ types of attacks.
When conducting vulnerability research according to this
policy, we consider this research conducted
under this policy to be:
- Authorized in view of any applicable anti-hacking laws, and we will not
initiate or support
legal action against you for accidental, good faith violations of this policy;
- Authorized in view of relevant anti-circumvention laws, and we will not bring a
you for circumvention of technology controls;
- Exempt from restrictions in our Acceptable Usage Policy that would interfere
security research, and we waive those restrictions on a limited basis; and
- Lawful, helpful to the overall security of the Internet, and conducted in good
You are expected, as always, to
comply with all applicable laws. If legal action is initiated by a
third party against you and you have complied with this policy, we will take steps to make it known
that your actions were conducted in compliance with this policy.
If at any time you have concerns or
are uncertain whether your security research is consistent with
this policy, please submit a report through one of our Official Channels before going any
The following services and applications are in-scope:
- The fluix.io website, services and APIs, and infrastructure.
- Any public (Internet-facing) infrastructure owned and operated by Fluix Limited
- Examples include firewalls, networking devices, compute instances, proxies,
- Any public cloud (e.g. Amazon AWS) resource or infrastructure operated and
managed by Fluix.
- Public cloud storage accounts. (e.g. AWS S3 buckets)
- Public cloud compute servers. (e.g. AWS EC2 instances)
- Anything with significant impact across our entire security posture or
Out of Scope
- Attacks which require using outdated operating system, browser and/or Fluix
- Attacks designed or likely to degrade, deny, or adversely impact services or
(e.g., Denial of Service, Distributed Denial of Service, Brute Force, Password Spraying,
- Attacks designed or likely to destroy, corrupt, make unreadable (or attempts
therein) data or
information that does not belong to you.
- Attacks designed or likely to validate stolen credentials, credential reuse,
(ATO), hijacking, or other credential-based techniques.
- Intentionally accessing data or information that does not belong to you beyond
viable access necessary to demonstrate the vulnerability.
- Performing physical, social engineering, or electronic attacks against Fluix
wireless networks, or property.
- Security issues in third-party applications, services, or dependencies that
integrate with Fluix
products or infrastructure that do not have a demonstrable proof of concept for the
vulnerability (e.g., libraries, SAAS services).
- Security issues or vulnerabilities created or introduced by the reporter (e.g.,
library we rely on to include a vulnerability for the sole purpose of receiving a reward).
- Attacks performed on any systems not explicitly mentioned as authorized and
- Reports of missing “best practices” or other guidelines which do not indicate a
- Reports of security issues related to delibirately set weak security controls
by account owner
(e.g., relaxing password policy)
- Reports of successful Keychain data extraction on jailbroken iOS devices
- Reports of missing source code obfuscation in application binary files or
- Vulnerabilities requiring physical access to the victim’s unlocked device
- Reports of the presence of version information
- Reports of old versions of the software without demonstration of vulnerability
- Reports generated from automated vulnerability assessment tools.
- Reports of missing “best practices” or other guidelines which do not indicate a
- Missing cookie flags on non-sensitive cookies.
- Reports of insecure SSL/TLS ciphers (unless accompanied with working proof of
- Reports of simple IP or port scanning.
- Missing HTTP headers (e.g. lack of HSTS).
- Reports of missing Domain Name System Security Extensions (DNSSEC)
- Email security best practices or controls (e.g. SPF, DKIM, DMARC).
- Software or infrastructure bannering, fingerprinting, or reconnaissance with no
- Clickjacking or self-XSS reports.
- Any vulnerabilities requiring significant and unlikely interaction by the
victim, such as
disabling browser controls
- Reports of publicly resolvable or accessible DNS records for internal hosts or
- Reports of user-provided remote code execution in sandboxed environments (e.g.,
- Domain-based phishing, typosquatting, punycodes, bitflips, or other
- Leakage of sensitive tokens, passphrases and keys to trusted third parties on
- Reports that are based on having full control of authorized user session (e.g.
victim is using
compromised system or distracted from public computer before logging out)
- CSRF for logout endpoint
- EXIF geolocation metadata not stripped from service images (e.g. custom company
logo) or user’s
- Reports related to using alias addresses (e.g. email@example.com) to
- Reports of privilege escalation attempts that change application user interface
but does not actually expose or modify any data on the server.
- Reports of bypassing IP-based rate limits by using the pool of IP addresses
- Reports related to security issues with third-party SaaS services (e.g.
Hubspot) without proof of concept demonstrating breach of Fluix product security
- Reports related to sending domain names in text content of emails using Fluix
service (i.e. specifying “test.com” somewhere in the service and seeing it delivered in email body)
We believe in recognizing the work of others.
Fluix provides rewards to
vulnerability reporters at its discretion. You can use the following
indicative values for general guidance:
- Critical (9.0-10.0) — $3000+
- High (7.0-8.9) — $1000
- Medium (4.0-6.9)— $500
- Low (0.1-3.9) — up to $100
The reward amount depends on severity
as determined by CVSS v3.0.
When duplicates occur, we award the
first report that we can completely reproduce.
Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
Currently we do not offer rewards for
software issues that do not have security impact.
To report a security or privacy vulnerability, send an email
to firstname.lastname@example.org and include relevant steps to
reproduce, logs and/or videos in your message.
Please report different findings by
sending diffrerent emails with a relevant subject each.
You may use our PGP key to encrypt sensitive
information that you send by email.
Our responsible disclosure policy is based on the https://disclose.io/ vulnerability disclosure framework.