Responsible Disclosure Policy

This page describes our policy around reporting vulnerabilities. It can be found on our website and will be promoted to stimulate the reporting of such issues.

Report Vulnerability

We work hard on protecting our users’ money and data, it’s our top priority! But nonetheless, it could be that you find a flaw in our security. You can help us by reporting this vulnerability.

Always report a vulnerability as soon as possible, and please ask us for permission before making the vulnerability public. Making it public before we found a solution might have a serious impact on our customers. Allow us to work together on a solution first.

Reporting a vulnerability

Please share the flaw you found directly with us at [email protected]. Our team monitors this inbox and will swiftly. When reporting, you can help us with enclosing at least the following information:

  • Severity of the flaw
    • Is it Informational / Low / Medium / High / Critical? You can use the CVSS calculation to assess the impact.
  • Please explain the vulnerability you have found and provide us with enough information to reproduce and investigate the problem, for example:
    - Screenshot / Proof of Concept
    - App version

The rules of the game

You might have conducted illegal activities to discover a vulnerability. We will not report these activities or claim damages if you have followed these rules:

  • act responsibly with the knowledge about the vulnerability, and do not perform any actions that go beyond what is necessary to demonstrate the flaw;
  • do not share access with others;
  • do not cause any damages;
  • do not use a denial-of-service attack or social engineering;
  • ensure that your research does not lead to an interruption of our services;
  • your research should never result in bank and/or customer data becoming public;
  • never place a backdoor, not even to demonstrate a vulnerability;
  • never modify or delete data. In case you need to copy data, never copy more data than strictly necessary;
  • do not make any system changes;
  • do not try to penetrate a system more often than necessary;
  • do not use brute force techniques;
  • do not use techniques that may affect the availability of our services;
  • Always take applicable laws and regulations into account because you could still get in trouble with the law, even if we don’t report you to the authorities.

What happens when I report a vulnerability?

We will start an investigation immediately after receiving your report. We always get back to you within a couple of days and will keep you up-to-date about our progress on solving the problem. The time we need to solve an issue depends on the complexity of the problem. After you have reported a problem, we ask you to refrain from making it public to give us time to solve the issue first. We treat the received notifications confidentially. We will not share your personal details with third parties without your permission unless required to do so by law or court order.

Can I get a reward for reporting an issue?

To thank you for your help we may offer you a reward, but we are never required to offer a reward. We only offer rewards for flaws that were unknown to us at the moment of reporting. We will determine the type and size of the reward based on the reported issue, taking the severity of the issue (among other things) into account. In case multiple people report the same issue, we will only offer a reward to the first reporter. We may provide you with a free version of Flow+ for life (Life Time Deal).