Responsible Disclosure Policy

At GreenFlux, we place great emphasis on the security of our systems, but vulnerabilities can still occur despite our efforts to maintain system security.

If you come across a vulnerability, we request that you notify us immediately to allow us to address it as soon as possible. We urge you to assist us in safeguarding our clients and systems by following these guidelines:

  • Refrain from taking advantage of the vulnerability, such as downloading more data than necessary to demonstrate the vulnerability or tampering with other people's data.

  • Keep the problem confidential until it is resolved.

  • Avoid attacks on physical security, social engineering, distributed denial of service, spam, or third-party applications.

  • Provide sufficient information to reproduce the issue, such as the IP address or URL of the affected system and a detailed vulnerability description.

In return, we pledge to:

  • Respond to your report within three business days with an assessment of the report and a projected resolution date.

  • Not take any legal action against you regarding the report if you have followed the above instructions.

  • Handle your report with strict confidentiality and not disclose your personal information to third parties without your consent.

  • Keep you updated on progress towards resolving the issue.

  • Credit you as the discoverer of the problem in public information unless you indicate otherwise.

  • While we appreciate and encourage your efforts to report any security concerns, please note that we are not obligated to provide a reward. The nature and amount of any reward will be determined on a case-by-case basis, based on factors such as the thoroughness of your investigation, the quality of your report, and the severity of the vulnerability. We will make every effort to acknowledge your contributions and provide appropriate recognition.

Our aim is to resolve any issues as soon as possible, and we are keen to actively contribute to the publication of the issue after it has been resolved.

Out of Scope:

Please do not report trivial vulnerabilities or bugs that cannot be abused. The following examples are considered known and accepted vulnerabilities and risks that fall outside of the scope of our policy:

  • HTTP 404 codes/pages or any other non-200 HTTP codes/pages, and Content Spoofing/Text Injection on such pages.

  • Fingerprint version banner disclosure on common/public services.

  • Disclosure of known public files or directories or non-sensitive information, such as robots.txt.

  • Clickjacking and issues that can only be exploited through clickjacking.

  • Lack of Secure/HTTP-Only flags on non-sensitive cookies.

  • OPTIONS HTTP method enabled.

  • Anything related to HTTP security headers, including Strict-Transport-Security, X-Frame-Options, X-XSS-Protection, X-Content-Type-Options, and Content-Security-Policy.

  • SSL configuration issues, such as SSL forward secrecy not being enabled or weak/insecure cipher suites.

  • SPF, DKIM, and DMARC issues, as well as host header injection.

  • Reporting older versions of any software without proof of concept or working exploit.

  • Information leakage in metadata.

  • Presence of application or web browser ‘autocomplete’ or ‘save password'.

  • CSRF on forms that are available to anonymous users (e.g., the contact form).