search
Ctrlk
Visit Flip.toSign into your platform

Reporting a Security Vulnerability

Flip.to welcomes reports from the security research community. If you believe you have found a security vulnerability in a Flip.to product or service, this page explains how to report it and what you can expect from us in return.

hashtag
How to report

Email: [email protected]envelope

This mailbox is monitored by Flip.to's CTO and Director of Engineering.

When reporting, please include:

  • A clear description of the vulnerability

  • Steps to reproduce it (or a proof-of-concept)

  • The product, URL, or component affected

  • Any potential impact you have observed

  • Your preferred contact method for follow-up

English is preferred.

hashtag
What you can expect from us

When you report a vulnerability in good faith:

  • Acknowledgement within 48 hours. We will confirm that we have received your report and provide a point of contact for follow-up.

  • Preliminary assessment within 7 days. We will share an initial assessment of the report — including whether we have reproduced the issue and an indication of severity — within seven days of acknowledgement.

  • Follow-up through remediation. We will keep you informed of remediation progress and, where appropriate, credit you publicly once the issue has been resolved.

Flip.to does not currently operate a paid bug bounty program. We offer our gratitude and, with your permission, public acknowledgement for valid and impactful reports.

hashtag
Safe harbor

Flip.to commits not to pursue legal action against researchers who:

  • Report vulnerabilities in good faith through the channel above;

  • Do not access, modify, or exfiltrate customer data beyond what is necessary to demonstrate the vulnerability;

  • Do not degrade or disrupt Flip.to's services or other customers' use of them;

  • Allow us a reasonable period to remediate the issue before any public disclosure.

Research conducted consistent with this policy is considered authorized.

hashtag
Scope

In scope:

  • Flip.to's production web properties (e.g., flip.to, *.flip.to customer applications)

  • Flip.to's customer-facing APIs

Out of scope:

  • Denial-of-service testing against production systems

  • Social engineering of Flip.to personnel, customers, or partners

  • Physical attacks against Flip.to offices or personnel

  • Reports based solely on automated scanner output without a demonstrated, exploitable security impact

  • Missing HTTP security headers or cookie flags absent a demonstrated, exploitable impact

  • Clickjacking on pages with no sensitive actions

  • SPF / DKIM / DMARC configuration suggestions without a proven spoofing exploit

  • Vulnerabilities in third-party services that Flip.to uses but does not control (report those to the service provider directly)

hashtag
Coordinated disclosure

We ask that you allow us a reasonable period — typically up to 90 days from acknowledgement — to remediate a reported issue before any public disclosure. If you believe an issue requires faster disclosure (for example, active exploitation in the wild), please say so in your report and we will coordinate accordingly.

Thank you for helping keep Flip.to and our customers safe.

PreviousSub-ProcessorsNextSite Terms of Service

Last updated