# Reporting a Security Vulnerability Flip.to welcomes reports from the security research community. If you believe you have found a security vulnerability in a Flip.to product or service, this page explains how to report it and what you can expect from us in return. ### How to report **Email:** This mailbox is monitored by Flip.to's CTO and Director of Engineering. When reporting, please include: * A clear description of the vulnerability * Steps to reproduce it (or a proof-of-concept) * The product, URL, or component affected * Any potential impact you have observed * Your preferred contact method for follow-up English is preferred. ### What you can expect from us When you report a vulnerability in good faith: * **Acknowledgement within 48 hours.** We will confirm that we have received your report and provide a point of contact for follow-up. * **Preliminary assessment within 7 days.** We will share an initial assessment of the report — including whether we have reproduced the issue and an indication of severity — within seven days of acknowledgement. * **Follow-up through remediation.** We will keep you informed of remediation progress and, where appropriate, credit you publicly once the issue has been resolved. Flip.to does not currently operate a paid bug bounty program. We offer our gratitude and, with your permission, public acknowledgement for valid and impactful reports. ### Safe harbor Flip.to commits not to pursue legal action against researchers who: * Report vulnerabilities in good faith through the channel above; * Do not access, modify, or exfiltrate customer data beyond what is necessary to demonstrate the vulnerability; * Do not degrade or disrupt Flip.to's services or other customers' use of them; * Allow us a reasonable period to remediate the issue before any public disclosure. Research conducted consistent with this policy is considered authorized. ### Scope In scope: * Flip.to's production web properties (e.g., `flip.to`, `*.flip.to` customer applications) * Flip.to's customer-facing APIs Out of scope: * Denial-of-service testing against production systems * Social engineering of Flip.to personnel, customers, or partners * Physical attacks against Flip.to offices or personnel * Reports based solely on automated scanner output without a demonstrated, exploitable security impact * Missing HTTP security headers or cookie flags absent a demonstrated, exploitable impact * Clickjacking on pages with no sensitive actions * SPF / DKIM / DMARC configuration suggestions without a proven spoofing exploit * Vulnerabilities in third-party services that Flip.to uses but does not control (report those to the service provider directly) ### Coordinated disclosure We ask that you allow us a reasonable period — typically up to 90 days from acknowledgement — to remediate a reported issue before any public disclosure. If you believe an issue requires faster disclosure (for example, active exploitation in the wild), please say so in your report and we will coordinate accordingly. Thank you for helping keep Flip.to and our customers safe. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.flip.to/policies/platform/reporting-a-security-vulnerability.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.