Resposible Disclosure Policy
Flood IO aims to keep its Service safe for everyone, and data security is of utmost priority. If you are a security researcher and have discovered a security vulnerability in the Service, we appreciate your help in disclosing it to us in a responsible manner.
Flood IO will engage with security researchers when vulnerabilities are reported to us in accordance with this Responsible Disclosure Policy. We will validate, respond and fix vulnerabilities in accordance with our commitment to security and privacy. We won’t take legal action against or suspend or terminate access to the Service of those who discover and report security vulnerabilities in accordance with this Responsible Disclosure Policy. Flood IO reserves all of its legal rights in the event of any noncompliance.
Capitalized terms used in this Responsible Disclosure Policy and not otherwise defined have the meaning ascribed to such terms in our Terms of Service.
You may test only against an Account for which you are the Account owner to conduct such testing. In no event are you permitted to access, download or modify data residing in any other Account or that does not belong to you or attempt to do any of the foregoing. You are also prohibited from:
- Executing or attempting to execute any Denial of Service attack.
- Knowingly posting transmitting, uploading, linking to, sending or storing any Malicious Software.
- Testing in a manner that would result in the sending unsolicited or unauthorized junk mail, spam, pyramid schemes or other forms of duplicative or unsolicited messages.
- Testing in a manner that would degrade the operation of the Service.
- Testing or otherwise accessing or using the Service from any jurisdiction that is a Prohibited Jurisdiction.
- Testing third party applications or websites or services that integrate with or link to the Service.
Share the details of any suspected vulnerabilities with the Flood IO Security Team by sending an email to firstname.lastname@example.org. Please do not publicly disclose these details without express written consent from Flood IO. In reporting any suspected vulnerabilities, please include the following information:
- Vulnerability details with information to allow us to efficiently reproduce your steps.
- Your email address.
- Your name as it should be displayed on this page if you would like it to be.
- Your Twitter handle or website as it should be displayed.
Requests for monetary compensation in connection with any identified or alleged vulnerability will be deemed noncompliant with this Responsible Disclosure Policy.
If you identify a verified security vulnerability in compliance with this Responsible Disclosure Policy, Flood IO commits to:
- Promptly acknowledge receipt of your vulnerability report.
- Provide an estimated timetable for resolution of the vulnerability.
- Notify you when the vulnerability is fixed.
- Publicly acknowledge your responsible disclosure.
Bugs in third party applications or systems, denial of service vulnerabilities, social engineering techniques, or bugs that require physical access to the targeted victim's device are not considered.
Flood IO thanks the following individuals and organizations that have identified security vulnerabilities in accordance with this Responsible Disclosure Policy:
- Aditya Agrawal exploitprotocol
- Manish Bhattacharya
- Kamil Sevi kamilsevi
- Sandeep V sanxor
- Robert Villalon percentwoef
- Ishan Anand zero-access
- Manikandan Rajakumar Mani22cars
- Berkay Aydın realberkayaydin
- Justine Edic ItsJPSecurity
- Hammad Mahmood hammad.mahmood.14019
- Abdul Haq Khokhar Abdulhaqkhokhar
- Kalpesh Makwana Kalpesh_makwana
- Abdul Rehman abdul_r3hman
- M.Asim Shahzad m-asim-shahzad
- Abhinav Verma cehabhinavverma
- Arvind Singh Shakhawat eharvindsingh
- Prudhvi.D itsmytime1422
- Tanoy Bose TanoyBose
- Web Plus ahmed.jerbi.web.plus
- Neeraj Godkhindi neeraj-godkhindi
- Talha Mahmood t4lha.mahmood
- Ali Hassan Ghori alihasanghauri
- Yash Pandya eryash9_yash
- Shivam Kumar Agarwal netanalysts
- Hamid Ashraf hamihax
- Hammad Qureshi & Huzaifa Jawaid hmad01256
- Paresh Parmar Paresh.Parmar1993
- Ashesh Kumar ashesh1708
- SaifAllah benMassaoud Security_Researcher
- Rui Silva dreamzz.twp
- Othmane Tamagart 0thm4n@WhiteHatSec
- Kamran Saifullah kamransaifullah786
- Nitesh Sharma nitesh-sharma-004521120
- Ibram Marzouk @0xibram
- Kenny Hietbrink kennyboe
Please note we are aware of the following vulnerabilities and are working towards a solution in the near future:
- DMARC Records not specified
- Potential for proxy to bypass X-Frame-Options
- X-Content-Type-Options header set for 'nosniff'
- Potential for self XSS attack vectors
- Secure Client-Initiated Renegotiation
- Leaked information in headers / referrers
- Open redirect vulnerability