HomeFloyRadiologyFloyZoneÜber Floy®
Kontakt

Floy Vulnerability Reward Program (VRP)

To honour all the external contributions that help us keep our users safe, we maintain a Vulnerability Reward Program, which has been running continuously since January 2025.

Services in Scope

Generally, any Floy-owned application or web service that handles reasonably sensitive user data is intended to be in scope. This includes most content on the following domains:
  • *.floy.com
Bugs in Floy on-premise deployments will also qualify, as long as they were caused by Floy directly.

Qualifying Vulnerabilities

Any design or implementation issue that substantially affects the confidentiality or integrity of user data is likely to be in scope for the program. Common examples include:
  • Cross-site scripting,
  • Cross-site request forgery,
  • Mixed-content scripts,
  • Authentication or authorization flaws,
  • Server-side code execution bugs,
  • Injection attacks
Note that the scope of the program is limited to technical vulnerabilities in Floy-owned applications. Please do not try to sneak into locations using Floy, attempt phishing attacks against our employees, and so on.

Out of concern for the availability of our services to all users, please do not attempt to carry out DoS attacks, leverage black hat SEO techniques, spam people, or do other similarly questionable things. We also discourage the use of any vulnerability testing tools that automatically generate very significant volumes of traffic.

Reward Amounts for Security Vulnerabilities

The following outlines the standard rewards for the most common severities of bugs.
Low
CVSS 0.1 - 3.9
Medium
CVSS 4.0 - 6.9
High
CVSS 7.0 - 8.9
Critical
CVSS 9.0 - 9.4
Exceptional
CVSS 9.5 - 10.0
€ 275
€ 675
€ 1,200
€ 1,800
€ 2,500

Report Quality

Your report should demonstrate the security impact of the reported vulnerability and include:
  • An accurate and detailed description of the issue including any relevant version numbers for applications, OS, web browsers, hardware device models etc.
  • A proof-of-concept that effectively, quickly, and easily demonstrates the vulnerability with any applicable reproduction output (e.g., video recording, etc.)
  • A step-by-step explanation on how to reliably reproduce the vulnerability
  • A succinct analysis and demonstration of the impact of the vulnerability
  • Optionally: A proposed patch or effective mitigation to the vulnerability
  • Optionally: A root cause analysis, which helps us find other similar variants of the issue
Additionally, we expect the researcher to be responsive when asked questions and accurately answer any queries about the vulnerability. We commit ourselves to reply to reports within 7 business days. We will not pay in advance for reports, only after verification and replication from our side.

Investigating and Reporting Bugs

When investigating a vulnerability, please, only ever target your own accounts. Never attempt to access anyone else's data and do not engage in any activity that would be disruptive or damaging to your fellow users or to Floy.

If you have found a security vulnerability, please submit your report to:

security@floy.com

Please be succinct: your report is triaged by security engineers and a short proof-of-concept link is more valuable than a lengthy video explanation.

Weitere
Links.

Kontaktiere
uns.

Floy® steht
für Qualität.

Maximize.
Human.
Health.

FloyRadiologyÜber Floy®
+49 89 244136090info@floy.comKontaktformular
Quellen
© 2024 Floy GmbH
ImpressumDatenschutz
DE
EN
Deutsch
English