Flex Finance Vulnerability Disclosure Policy

1. Introduction

At Flex Finance, we are committed to ensuring the security and integrity of our systems and services. We welcome responsible disclosure of vulnerabilities that may affect our online properties. This policy outlines our expectations for security researchers and the process for reporting potential security issues.

2. Scope

This policy applies to all websites, applications, APIs, and online services owned or operated by Flex Finance (collectively, the “Systems”).

• Third-party applications or services not maintained by FlexFinance.
• Vulnerabilities in software or systems that are not under FlexFinance's control.

3. Reporting Guidelines

3.1 What to Include in Your Report

When reporting a vulnerability, please provide as much of the following information as possible:

• Description: A clear and concise summary of the vulnerability.
• Steps to Reproduce: Detailed instructions, including URLs, parameters, and any necessary conditions.
• Impact Assessment: An explanation of the potential impact of the vulnerability.
• Evidence: Screenshots, videos, or logs that illustrate the issue.
• Contact Information: Your preferred method for follow-up questions (email, phone, etc.).

3.2 How to Report

Please send your report to:

Email: security@flexfinance.ai

Subject Line: Vulnerability Report – [Brief Description]

4. Responsible Disclosure Guidelines

• Coordinated Disclosure: We request that you refrain from publicly disclosing the vulnerability until we have had a reasonable opportunity to investigate and address the issue. Coordinated disclosure is essential for preventing potential misuse of the vulnerability.
• Testing Considerations: Please perform all testing in a manner that does not disrupt our services or compromise the privacy and security of our users. Avoid actions that could result in data loss, data corruption, or denial of service.
• Good Faith: By reporting vulnerabilities under this policy, you agree to act in good faith and abide by the terms outlined herein.

5. What You Can Expect from Us

• Acknowledgment: We will acknowledge receipt of your report within [3-5] business days.
• Investigation: Our security team will assess and investigate the reported vulnerability.
• Follow-Up: We may contact you for additional information if needed. While we may not be able to provide detailed updates due to security reasons, we will inform you once the issue has been resolved.
• No Bug Bounty or Rewards Please note that Flex Finance does not have a bug bounty program, nor do we offer any monetary compensation, rewards, or other incentives for vulnerability reports. Our focus is on promptly addressing and remediating security issues to protect our systems and users.

5. Legal Considerations

• Safe Harbor: Provided you adhere to the guidelines outlined in this policy, Flex Finance will not pursue any legal action against you for activities related to the testing or reporting of vulnerabilities.
• Limitations: Any testing that violates applicable laws, exceeds the scope of this policy, or involves intentional harm may be subject to legal action.
• No Authorization for Harmful Activity: This policy does not authorize any activity that could harm FlexFinance or its users. Researchers must always act responsibly and ethically.

7. Modifications to This Policy

Flex Finance reserves the right to modify or update this policy at any time. We encourage you to review the policy periodically to stay informed of any changes.

8. Contact

If you have any questions regarding this policy or require further assistance, please contact our security team at:
Email: security@flexfinance.ai