Skip to content
FLOWPILOTS

RESPONSIBLE DISCLOSURE

Found something? Tell us.

Security reports make the cockpit safer for every Pilot. Send yours to security@flowpilots.io with enough detail to reproduce what you found.

In scope

  • www.flowpilots.io, this website.
  • app.flowpilots.io, the cockpit application.

Out of scope

  • Third-party services the cockpit runs on (Vercel, Supabase, Anthropic, Cloudflare, Proton). Report those to their own programs.
  • Denial of service and volumetric testing of any kind, including rate-limit exhaustion.
  • Social engineering of anyone, and physical attacks.

The rules

  • Test only against accounts you own.
  • Take the minimum needed to prove the finding; never read, copy, or keep other Pilots' data.
  • No persistence: leave nothing behind, and undo any state your testing created.
  • Give us reasonable time to fix the issue before any public disclosure.

What to expect

  • Acknowledgment within three business days.
  • Triage and a severity read within seven days.
  • A fix timeline communicated as soon as one exists, and a note when the fix ships.

Safe harbor

Research done in good faith within these rules is authorized. FlowPilots will not pursue legal action against you for it, under computer-misuse law or copyright law, and will say so on your behalf if a third party tries. If you are ever unsure whether something is covered, ask first at security@flowpilots.io.