v0.4.2regionus-east-1builds/7d41pipeline active

FLA / PUBLIC BETA

SECURITY / RESPONSIBLE DISCLOSURE

$curl https://flareo.dev/.well-known/security.txt# also published as security.txt for automated discovery

Found something?
Tell us first.

If you've found a security issue in Flareo's platform — or in a module we've published — we want to hear from you before anyone else does. This page documents the channel, our response timeline, and what you should expect.

How to report

security@flareo.dev

Encrypt with our PGP key (below) if the report contains sensitive details. Plain email is fine for a heads-up; follow up with details over the encrypted channel.

PGP KEY FINGERPRINT

4F3A 2C1B 9E7D 8C5A 6F2D 3B1A 7C9D 8E2F 4A6B 1C3D

Full key at flareo.dev/.well-known/pgp-key.asc.

For active exploitation: if you believe a vulnerability is being actively exploited against Flareo or against deployed modules, mark the email subject [URGENT-EXPLOIT] — it pages on-call.

In scope

Yes — we want these

Pipeline integrity bugs: anything letting a submitter smuggle artifacts past Trivy / cosign / SLSA
Sandbox escapes from any preview environment
Authentication or session bugs in flareo.dev or the API
Privilege escalation between user / publisher / admin
Trust Score forgery: making a module's score appear higher than the formula computes
SSRF, RCE, SQLi, XSS, CSRF in the platform code
Bugs in any module we've published: malicious upstream, backdoored dependency, vulnerable build step

Out of scope

Vulnerabilities in upstream projects we package — report those to the upstream project; we'll coordinate the rebuild after they patch
Missing security headers on marketing pages (we read these reports but they go to the bottom of the queue)
SPF / DMARC / DKIM tuning on email infrastructure
Self-XSS where the only path is the user's own browser extension or DevTools
DDoS / volumetric attacks (we have separate operational channels for this)
Reports generated by automated scanners with no proof-of-impact

What you should expect

Acknowledgement

within 24h

A real human replies. Not an autoresponder. We confirm receipt and tell you who's looking at it.

Triage

within 72h

We confirm whether the issue reproduces and assign a severity (P0–P3). You get the assigned severity and our preliminary read.

Mitigation

P0: 24h · P1: 7d · P2: 30d · P3: best-effort

A mitigation lands in production. For module-level issues, this means a rebuild with the fix; for platform issues, a code deploy. We tell you when it's live.

Coordinated disclosure

90 days from initial report (negotiable)

If an issue affects external users, we publish details after the fix has had time to propagate. Reporters who want public attribution get it; those who want anonymity get that. The default is your call.

Public incident log

after disclosure

Vulnerabilities that affected published modules appear on /incidents with the timeline, scope, mitigation, and reporter credit (with consent).

Safe harbor

We will not pursue legal action against good-faith security researchers who:

Test only against accounts you own or have explicit permission to test against
Avoid privacy violations, destruction of data, and interruption of service
Give us reasonable time to respond before any public disclosure
Make a good-faith effort to comply with all applicable laws

If your testing activities raise concerns about authorization, contact us first. We'd rather talk through it than discover the testing in our logs without context.

Bounty program

Honest answer: we don't run a paid bounty program yet.

For high-impact reports we offer a public credit on the /incidents page, swag, and a thank-you that we mean. When Flareo has revenue to support a structured bounty, we'll publish the program in detail rather than running an informal one. Until then, we ask researchers to report for the same reason we'd report bugs we find ourselves: because fixing them makes the platform safer for everyone running it.

SECURITY / RESPONSIBLE DISCLOSURE

$curl https://flareo.dev/.well-known/security.txt# also published as security.txt for automated discovery

Found something?
Tell us first.

How to report

security@flareo.dev

Encrypt with our PGP key (below) if the report contains sensitive details. Plain email is fine for a heads-up; follow up with details over the encrypted channel.

PGP KEY FINGERPRINT

4F3A 2C1B 9E7D 8C5A 6F2D 3B1A 7C9D 8E2F 4A6B 1C3D

Full key at flareo.dev/.well-known/pgp-key.asc.

For active exploitation: if you believe a vulnerability is being actively exploited against Flareo or against deployed modules, mark the email subject [URGENT-EXPLOIT] — it pages on-call.

In scope

Yes — we want these

Pipeline integrity bugs: anything letting a submitter smuggle artifacts past Trivy / cosign / SLSA
Sandbox escapes from any preview environment
Authentication or session bugs in flareo.dev or the API
Privilege escalation between user / publisher / admin
Trust Score forgery: making a module's score appear higher than the formula computes
SSRF, RCE, SQLi, XSS, CSRF in the platform code
Bugs in any module we've published: malicious upstream, backdoored dependency, vulnerable build step

Out of scope

Vulnerabilities in upstream projects we package — report those to the upstream project; we'll coordinate the rebuild after they patch
Missing security headers on marketing pages (we read these reports but they go to the bottom of the queue)
SPF / DMARC / DKIM tuning on email infrastructure
Self-XSS where the only path is the user's own browser extension or DevTools
DDoS / volumetric attacks (we have separate operational channels for this)
Reports generated by automated scanners with no proof-of-impact

What you should expect

Acknowledgement

within 24h

A real human replies. Not an autoresponder. We confirm receipt and tell you who's looking at it.

Triage

within 72h

We confirm whether the issue reproduces and assign a severity (P0–P3). You get the assigned severity and our preliminary read.

Mitigation

P0: 24h · P1: 7d · P2: 30d · P3: best-effort

A mitigation lands in production. For module-level issues, this means a rebuild with the fix; for platform issues, a code deploy. We tell you when it's live.

Coordinated disclosure

90 days from initial report (negotiable)

Public incident log

after disclosure

Vulnerabilities that affected published modules appear on /incidents with the timeline, scope, mitigation, and reporter credit (with consent).

Safe harbor

We will not pursue legal action against good-faith security researchers who:

Test only against accounts you own or have explicit permission to test against
Avoid privacy violations, destruction of data, and interruption of service
Give us reasonable time to respond before any public disclosure
Make a good-faith effort to comply with all applicable laws

If your testing activities raise concerns about authorization, contact us first. We'd rather talk through it than discover the testing in our logs without context.

Bounty program

Honest answer: we don't run a paid bounty program yet.

Found something?Tell us first.

Yes — we want these

Out of scope

Found something?Tell us first.

Yes — we want these

Out of scope

Found something?
Tell us first.

Found something?
Tell us first.