Fluix Responsible Disclosure Policy
If you believe you have discovered a security or privacy vulnerability that affects Fluix software,
services, or web servers, please report it to us.
Prior to reporting, please review our responsible disclosure policy below.
Security is core to our values, and we value the input of security professionals acting in good-faith
to help us maintain a high standard for the security and privacy for our users. This includes
encouraging responsible vulnerability research and disclosure. This policy sets out our definition
of good-faith in the context of finding and reporting vulnerabilities, as well as what you can
expect from us in return. When working with us according to this policy, you can expect us to:
- Extend Safe Harbor for your vulnerability research that is related to this policy.
- Work with you to understand and validate your report, including a timely initial response to the
- Work to remediate discovered vulnerabilities in a timely manner; and
- Recognize your contribution to improving our security if you are the first to report a unique
vulnerability, and your report triggers a code or configuration change.
To encourage vulnerability research and to avoid any confusion between legitimate research and
malicious attack, we ask that you attempt, in good faith, to:
- Play by the rules. This includes following this policy any other relevant agreements;
- Report any vulnerability you’ve discovered promptly;
- Avoid violating the privacy of others, disrupting our systems, destroying data, and/or harming
- Use only the Official Channels to discuss vulnerability information with us;
- Handle the confidentiality of details of any discovered vulnerabilities according to our
- Perform testing only on in-scope systems, and respect systems and activities which are
- If a vulnerability provides unintended access to data: Limit the amount of data you access to
the minimum required for effectively demonstrating a Proof of Concept; and cease testing and
submit a report immediately if you encounter any user data during testing, such as Personally
Identifiable Information (PII), Personal Healthcare Information (PHI), credit card data, or
- You should only interact with test accounts you own or with explicit permission from the account
- Do not engage in extortion.
- Do not perform any ‘denial of service’ types of attacks.
When conducting vulnerability research according to this policy, we consider this research conducted
under this policy to be:
- Authorized in view of any applicable anti-hacking laws, and we will not initiate or support
legal action against you for accidental, good faith violations of this policy;
- Authorized in view of relevant anti-circumvention laws, and we will not bring a claim against
you for circumvention of technology controls;
- Exempt from restrictions in our Acceptable Usage Policy that would interfere with conducting
security research, and we waive those restrictions on a limited basis; and
- Lawful, helpful to the overall security of the Internet, and conducted in good faith.
You are expected, as always, to comply with all applicable laws. If legal action is initiated by a
third party against you and you have complied with this policy, we will take steps to make it known
that your actions were conducted in compliance with this policy.
If at any time you have concerns or are uncertain whether your security research is consistent with
this policy, please submit a report through one of our Official Channels before going any
The following services and applications are in-scope:
- The fluix.io website, services and APIs, and infrastructure.
- Any public (Internet-facing) infrastructure owned and operated by Fluix Limited
- Examples include firewalls, networking devices, compute instances, proxies, etc.
- Any public cloud (e.g. Amazon AWS) resource or infrastructure operated and managed by Fluix.
- Public cloud storage accounts. (e.g. AWS S3 buckets)
- Public cloud compute servers. (e.g. AWS EC2 instances)
- Anything with significant impact across our entire security posture or infrastructure
Out of Scope
- Attacks which require using outdated operating system, browser and/or Fluix software
- Attacks designed or likely to degrade, deny, or adversely impact services or user experience
(e.g., Denial of Service, Distributed Denial of Service, Brute Force, Password Spraying,
- Attacks designed or likely to destroy, corrupt, make unreadable (or attempts therein) data or
information that does not belong to you.
- Attacks designed or likely to validate stolen credentials, credential reuse, account takeover
(ATO), hijacking, or other credential-based techniques.
- Intentionally accessing data or information that does not belong to you beyond the minimum
viable access necessary to demonstrate the vulnerability.
- Performing physical, social engineering, or electronic attacks against Fluix personnel, offices,
wireless networks, or property.
- Security issues in third-party applications, services, or dependencies that integrate with Fluix
products or infrastructure that do not have a demonstrable proof of concept for the
vulnerability (e.g., libraries, SAAS services).
- Security issues or vulnerabilities created or introduced by the reporter (e.g., modifying a
library we rely on to include a vulnerability for the sole purpose of receiving a reward).
- Attacks performed on any systems not explicitly mentioned as authorized and in-scope.
- Reports of missing “best practices” or other guidelines which do not indicate a security
- Reports of security issues related to delibirately set weak security controls by account owner
(e.g., relaxing password policy)
- Reports of successful Keychain data extraction on jailbroken iOS devices
- Reports of missing source code obfuscation in application binary files or embedded interpreted
- Vulnerabilities requiring physical access to the victim’s unlocked device
- Reports of the presence of version information
- Reports of old versions of the software without demonstration of vulnerability in Fluix
- Reports generated from automated vulnerability assessment tools.
- Reports of missing “best practices” or other guidelines which do not indicate a security
- Missing cookie flags on non-sensitive cookies.
- Reports of insecure SSL/TLS ciphers (unless accompanied with working proof of concept).
- Reports of simple IP or port scanning.
- Missing HTTP headers (e.g. lack of HSTS).
- Reports of missing Domain Name System Security Extensions (DNSSEC)
- Email security best practices or controls (e.g. SPF, DKIM, DMARC).
- Software or infrastructure bannering, fingerprinting, or reconnaissance with no proven
- Clickjacking or self-XSS reports.
- Any vulnerabilities requiring significant and unlikely interaction by the victim, such as
disabling browser controls
- Reports of publicly resolvable or accessible DNS records for internal hosts or infrastructure.
- Reports of user-provided remote code execution in sandboxed environments (e.g., Product Features).
- Domain-based phishing, typosquatting, punycodes, bitflips, or other techniques.
- Leakage of sensitive tokens, passphrases and keys to trusted third parties on secure connection
- Reports that are based on having full control of authorized user session (e.g. victim is using
compromised system or distracted from public computer before logging out)
- CSRF for logout endpoint
- EXIF geolocation metadata not stripped from service images (e.g. custom company logo) or user’s
- Reports related to using alias addresses (e.g. email@example.com) to circuvent any
- Reports of privilege escalation attempts that change application user interface but does not actually expose or modify any data on the server.
- Reports of bypassing IP-based rate limits by using the pool of IP addresses
- Reports related to security issues with third-party SaaS services (e.g. Hubspot) without proof of concept demonstrating breach of Fluix product security
- Reports related to sending domain names in text content of emails using Fluix service (i.e. specifying “test.com” somewhere in the service and seeing it delivered in email body)
We believe in recognizing the work of others.
Fluix provides rewards to vulnerability reporters at its discretion. You can use the following
indicative values for general guidance:
- Critical (9.0-10.0) — $3000+
- High (7.0-8.9) — $1000
- Medium (4.0-6.9)— $500
- Low (0.1-3.9) — up to $100
The reward amount depends on severity as determined by CVSS v3.0.
When duplicates occur, we award the first report that we can completely reproduce.
Multiple vulnerabilities caused by one underlying issue will be awarded one bounty.
Currently we do not offer rewards for software issues that do not have security impact.
To report a security or privacy vulnerability, send an email to firstname.lastname@example.org and include relevant steps to
reproduce, logs and/or videos in your message.
Please report different findings by sending diffrerent emails with a relevant subject each.
You may use our PGP key to encrypt sensitive
information that you send by email.
Our responsible disclosure policy is based on the https://disclose.io/ vulnerability disclosure framework.