Security & responsible disclosure

TLS everywhere. Row-level security on all tables. Hardware-backed signed URLs for downloads. Secrets in environment variables, never in code. Audited annually by a third party.

In scope: flowbase.cc and its subdomains; the public APIs under /api/*; the OAuth callback. Out of scope: third-party platforms (Razorpay, Resend, Supabase, Anthropic), social engineering, denial-of-service, automated scanning.

Email security@flowbase.cc with a clear description, reproduction steps, and any PoC. Use PGP when possible — fingerprint available at /.well-known/security.txt.

Acknowledge within 48 hours. Triage and impact assessment within 7 days. Fix critical issues within 30 days. Credit you publicly (if you want).

We won't pursue legal action against good-faith research that follows this policy, avoids privacy violations, and doesn't disrupt the service.

Discretionary bounties up to ₹50,000 for critical issues, ₹25,000 for high, ₹10,000 for medium. We also send swag for accepted reports.

Self-XSS, missing security headers without impact, rate-limit bypasses without business impact, click-jacking on static pages, login / sign-up CSRF without exploit, EXIF metadata.

We notify affected users via email and in-product within 72 hours of confirmed breach, and publish a post-mortem within 14 days.