Floy Vulnerability Reward Program (VRP)
To honour all the external contributions that help us keep our users safe, we maintain a Vulnerability Reward Program, which has been running continuously since January 2025.
Services in Scope
Generally, any Floy-owned application or web service that handles reasonably sensitive user data is intended to be in scope. This includes most content on the following domains:
Bugs in Floy on-premise deployments will also qualify, as long as they were caused by Floy directly.
Qualifying Vulnerabilities
Any design or implementation issue that substantially affects the confidentiality or integrity of user data is likely to be in scope for the program. Common examples include:
Cross-site scripting,
Cross-site request forgery,
Mixed-content scripts,
Authentication or authorization flaws,
Server-side code execution bugs,
Injection attacks
Note that the scope of the program is limited to technical vulnerabilities in Floy-owned applications. Please do not try to sneak into locations using Floy, attempt phishing attacks against our employees, and so on.
Out of concern for the availability of our services to all users, please do not attempt to carry out DoS attacks, leverage black hat SEO techniques, spam people, or do other similarly questionable things. We also discourage the use of any vulnerability testing tools that automatically generate very significant volumes of traffic.
If multiple researchers report the same vulnerability, only the first valid submission will be eligible for a reward. Duplicate reports will be acknowledged but not rewarded.
Out of Scope
The following are not eligible for rewards:
Infrastructure Hardening (Informational)
Missing CAA DNS records,
Missing security headers (X-Frame-Options, CSP, HSTS, etc.) without proven impact on user data,
Theoretical issues that require external compromise (CA compromise, BGP hijacking, DNS poisoning),
SSL/TLS warnings or certificate issues without a proven exploit
Clickjacking
Clickjacking on pages protected by SSO redirects (Google, AWS, etc.) where auth happens on the IdP domain,
Clickjacking reports without a proven post-auth exploit or real user impact
Authentication Endpoints
Rate limiting issues on non-functional endpoints (e.g. password reset when only SSO is used),
Issues in auth flows fully handled by third-party IdPs (Google, AWS SSO)
Email Configuration
Third-Party Software
Issues in third-party hosted tools (Retool, Metabase, Airflow) unless caused by Floy config,
Outdated dependency reports without a working PoC
Report Quality
Raw automated scanner output without manual validation,
Reports for non-existing paths or endpoints returning 403/404
No Demonstrated Exploitability
A report is only eligible if it includes a reproducible proof-of-concept that shows real impact on confidentiality, integrity, or availability of Floy data or systems. Banner grabs, version disclosures, fingerprinting of public service identifiers (cluster IDs, build hashes, server headers), and responses from intentionally unauthenticated metadata or health endpoints do not by themselves constitute a vulnerability, regardless of the product's general reputation or hypothetical attack surface.
Theoretical and Speculative Reports
Reports whose "Impact" section describes what an attacker could do without a working proof of those actions will be classified as informational and are not eligible for a reward.
No-response Policy
To keep response capacity focused on valid findings, Floy reserves the right not to respond to, triage, or acknowledge reports that:
consist solely of unauthenticated calls to public metadata, version, health, or status endpoints;
rely on automated-scanner output, Shodan/Censys results, or passive reconnaissance without a working exploit;
re-state generic risks of a product or protocol without demonstrating that those risks are realised on a Floy asset;
have already been reported, or describe behaviour that is by design and documented as such by the upstream vendor.
Submitting the same or a substantially similar low-quality report repeatedly may result in removal from the program.
Reward Amounts for Security Vulnerabilities
The following outlines the standard rewards for the most common severities of bugs.
Low
CVSS 0.1 - 3.9
Medium
CVSS 4.0 - 6.9
High
CVSS 7.0 - 8.9
Critical
CVSS 9.0 - 9.4
Exceptional
CVSS 9.5 - 10.0
€ 275
€ 675
€ 1,200
€ 1,800
€ 2,500
Report Quality
Your report should demonstrate the security impact of the reported vulnerability and include:
An accurate and detailed description of the issue including any relevant version numbers for applications, OS, web browsers, hardware device models etc.
A proof-of-concept that effectively, quickly, and easily demonstrates the vulnerability with any applicable reproduction output (e.g., video recording, etc.)
A step-by-step explanation on how to reliably reproduce the vulnerability
A succinct analysis and demonstration of the impact of the vulnerability
Optionally: A proposed patch or effective mitigation to the vulnerability
Optionally: A root cause analysis, which helps us find other similar variants of the issue
Additionally, we expect the researcher to be responsive when asked questions and accurately answer any queries about the vulnerability. We commit ourselves to reply to reports within 7 business days. We will not pay in advance for reports, only after verification and replication from our side.
Investigating and Reporting Bugs
When investigating a vulnerability, please, only ever target your own accounts. Never attempt to access anyone else's data and do not engage in any activity that would be disruptive or damaging to your fellow users or to Floy.
If you have found a security vulnerability, please submit your report to:
security@floy.com
Please be succinct: your report is triaged by security engineers and a short proof-of-concept link is more valuable than a lengthy video explanation.
