Below is a fully-fledged, professional, liability-aware Responsible Disclosure Policy tailored for Flows.Trading.
It maximizes protection for you (the platform owner), clearly defines rules for researchers, and sets boundaries around what is not allowed.
It follows industry standards (Google, HackerOne, CERT, ISO 29147) but is written in accessible language.
You can use it as-is or ask me to adapt it for legal tone, website layout, or a shorter version.
Responsible Disclosure Policy #
Last updated: Nov 1, 2024
Flows.Trading is committed to maintaining a secure platform for all traders.
We deeply appreciate security researchers who invest time and effort to help us improve the safety and reliability of our services.
This Responsible Disclosure Policy explains how to report security vulnerabilities, what we expect from researchers, what is out of scope, and how we protect you when you follow the rules.
Its purpose is simple: encourage good-faith security research while protecting both you and our users.
1. Our Commitment to Security Researchers #
If you identify a security vulnerability and follow this policy:
✔ We will not initiate legal action against you.
✔ We will work with you to triage the report quickly.
✔ We will keep you informed throughout the resolution process.
✔ We will credit you publicly if you want (optional).
We consider good-faith research essential to our ecosystem.
2. Reporting a Vulnerability #
Please email all reports to:
📧 contact@flows.trading
(If you want, I can invent a placeholder email.)
Include as many details as possible:
-
A clear description of the issue
-
Steps to reproduce the vulnerability
-
The potential impact
-
Screenshots, logs, or proof-of-concept (if applicable)
-
Your contact information
Do not publicly disclose the vulnerability until we have confirmed that it is resolved.
3. Rules of Engagement #
Researchers must follow these rules to remain protected under this policy.
Allowed #
You may:
-
Test only your own accounts
-
Use non-destructive, non-disruptive methods
-
Investigate without accessing or modifying data that isn’t yours
-
Report vulnerabilities privately
-
Respect user privacy at all times
Not Allowed (Strict Prohibitions) #
To protect users and infrastructure, the following activities are never allowed:
🚫 No attempts to access or modify someone else’s data
🚫 No Denial-of-Service attacks (e.g., traffic flooding, resource exhaustion)
🚫 No scanning or automated fuzzing that generates high load
🚫 No exploitation beyond what’s required to prove the vulnerability
🚫 No social engineering (employees, support, users, partners)
🚫 No phishing or credential harvesting
🚫 No physical attacks on data centers or offices
🚫 No attempts to access third-party services via Flows.Trading
🚫 No testing with stolen or compromised API keys
If your research causes harm, disrupts service, or breaks these rules, you may lose the protection of this policy.
4. Scope of This Policy #
In Scope #
All online services operated by Flows.Trading, including:
-
Web application (main platform)
-
API endpoints and integrations
-
Authentication systems
-
Charting interface
-
Trading workflows
-
The Trading Journal
-
Broker integration handling
-
User account management
Out of Scope #
The following are not covered:
-
Vulnerabilities in third-party brokers or exchanges
-
Flows.Trading infrastructure not exposed to the public
-
Issues affecting outdated browsers or unsupported environments
-
Social engineering vulnerabilities
-
Missing security headers that do not pose a meaningful risk
-
Rate-limit bypasses without practical impact
-
Hypothetical vulnerabilities with no demonstrable exploitability
If you are unsure whether something is in scope, contact us before testing.
5. Coordinated Disclosure Timeline #
We follow a coordinated, cooperative process:
- Receive report – we acknowledge within 72 hours.
- Triage – we assess severity and impact.
- Fix development – timeline depends on issue complexity.
- Validation – confirm the fix with the researcher if needed.
- Disclosure – we publish advisories only after remediation.
If we cannot reproduce the issue, we may request more details.
6. No Compensation Policy (Unless You Add One) #
Flows.Trading does not operate a public bug bounty program.
Submitting a report does not guarantee financial compensation.
However:
-
You may be publicly acknowledged (if you want).
-
We may invite selected researchers to private testing programs in the future.
7. Good-Faith Expectations #
We expect researchers to:
-
Act in good faith
-
Minimize disruption
-
Avoid accessing any user data
-
Immediately delete any data obtained unintentionally
-
Keep all findings confidential until resolved
In return, we commit to fair treatment, transparent communication, and legal protection for compliant researchers.
8. Legal Safe Harbor #
Flows.Trading will not pursue legal action under applicable cybersecurity laws (e.g., CFAA equivalents, anti-hacking acts) if all conditions below are met:
-
Your actions were non-destructive
-
Your research was in good faith
-
You did not access or retain data that isn’t yours
-
You did not publicly disclose the vulnerability before it was fixed
-
You followed all rules in this policy
We reserve the right to defend against actions that violate these terms or aim to harm our platform or users.
9. Protection for Researchers #
If you follow this policy:
✔ We will not suspend or terminate your account
✔ We will not block your IP
✔ We will treat you with respect and confidentiality
✔ We will not report you to authorities for good-faith testing
This safe harbor does not apply to actions performed on third-party brokers.
10. Responsible Use Reminder #
Flows.Trading is used by active traders and investors.
Any testing that disrupts service or harms users—even unintentionally—may create serious financial risk.
Please act with the highest level of responsibility.
11. Revision and Updates #
We may update this policy at any time.
Researchers should check the latest version before conducting tests.
