Responsible Disclosure Policy

Last updated: July 2025

1. Purpose

LoadFlow is committed to maintaining the security and privacy of our systems and our customers’ data. This Responsible Disclosure Policy outlines our approach to working with the security community and researchers who act in good faith to identify and report vulnerabilities.

If you believe you've discovered a security or privacy issue, we want to hear from you. We will investigate all valid reports and fix confirmed issues as quickly as possible.

2. Our Commitment

We are committed to:

Investigating and validating all legitimate vulnerability reports in a timely manner
Not pursuing legal action against anyone who reports issues in good faith and in accordance with this policy
Maintaining open, respectful communication with all researchers throughout the disclosure process
Giving credit or acknowledgment where appropriate (if desired by the researcher)

We believe that responsible security research benefits everyone, and we deeply appreciate your contributions to LoadFlow’s reliability and safety.

3. Who Can Report

Anyone who discovers a security vulnerability — including security researchers, developers, customers, or ethical hackers — is welcome to report it. No prior approval or authorization is required to submit a report.

You must follow this policy and act in good faith to qualify for protection under our Safe Harbor terms (see Section 7).

4. What You Can Report

We are primarily interested in high-impact, exploitable security vulnerabilities such as:

Authentication or authorization bypasses
Privilege escalation or account takeover vectors
Access to customer data, logs, or credentials
Injection flaws (e.g., SQL, command, or header injection)
Cross-Site Scripting (XSS) or API abuse vectors
Improper access to rate-limited or gated endpoints
Key exposure or credential leakage in frontend or backend systems

5. What Not to Report

The following types of findings are not considered in-scope for this disclosure policy:

Rate limit errors, HTTP 429 messages, or denial from abuse prevention systems
Missing or low-impact HTTP headers (e.g., CSP, X-Frame-Options)
UI or UX bugs with no security impact
Typos, broken links, or visual inconsistencies
Outdated JavaScript libraries with no known exploit path
Use of public third-party packages unless vulnerability is directly exploitable through LoadFlow

6. How to Submit a Report

To report a vulnerability, please send a detailed email to:

Email: security@loadflowlogistics.com

Please include as much of the following as possible:

A clear description of the vulnerability and its impact
Step-by-step instructions to reproduce the issue
Any screenshots, logs, or video proof-of-concept (PoC)
Your contact information, name or handle (optional for anonymous reports)

We recommend encrypting sensitive disclosures using a public PGP key (available upon request). Please do not share vulnerabilities through public channels like social media or GitHub.

7. Safe Harbor & Non-Retaliation

If you act in good faith, comply with this policy, and avoid intentional harm or disruption, we will:

Not pursue legal action or law enforcement against you
Not suspend or ban your account for submitting a report under this policy
Not issue DMCA takedowns for vulnerability disclosure reports sent privately

This protection applies only to ethical testing on in-scope systems that respects our rules and boundaries. LoadFlow reserves the right to revoke Safe Harbor in the case of malicious intent, fraud, or breach of confidentiality.

8. Testing Boundaries

You must avoid:

Using automated scanning tools, fuzzers, or brute-force scripts
Disrupting service availability or generating excessive traffic
Accessing, modifying, or deleting customer data you do not own
Attempting phishing, social engineering, or credential harvesting against LoadFlow staff or customers
Running denial-of-service (DoS) or stress tests against any LoadFlow-hosted infrastructure

All testing must be non-destructive, non-intrusive, and must not compromise user trust or data privacy.

9. Disclosure Timeline & Coordination

LoadFlow commits to the following vulnerability disclosure process:

Acknowledge valid reports within 3 business days
Provide an initial analysis and remediation plan within 10 business days
Work toward patching critical issues within 30 calendar days
Request non-disclosure from the researcher until a fix is in place or 90 days have passed

We may ask for extensions in complex cases. Researchers are encouraged to coordinate public disclosure responsibly. We support transparency but prefer disclosure after remediation whenever possible.

10. In-Scope Systems & Domains

The following systems are considered in-scope for security testing under this policy:

loadflowlogistics.com (main marketing site)
*.loadflowlogistics.com (including dashboard, docs, and all subdomains)
API endpoints: All LoadFlow-hosted production API routes under `/api/v1/`

The following are explicitly out-of-scope:

Third-party vendors (e.g., Stripe, Vercel, DigitalOcean)
Load testing tools, uptime monitors, or documentation microsites hosted externally
Staging or development environments not publicly accessible

11. Duplicate Reports

If multiple researchers report the same vulnerability, LoadFlow will consider only the first report that provides a complete, actionable reproduction. We reserve the right to acknowledge others who contribute meaningfully, but credit is not guaranteed for duplicates.

Please check this page and prior disclosures (if available) before submitting a known issue.

12. Bounty Program

LoadFlow does not currently operate a public or paid bug bounty program. No monetary reward is promised for disclosures under this policy.

We may launch a formal bounty program in the future. At our discretion, we may offer swag, account credits, or public acknowledgment for particularly valuable reports. Participation in this policy is entirely voluntary.

13. Researcher Conduct & Data Handling

You agree to:

Not retain, store, or exfiltrate any data you access during testing
Not intentionally access, download, or tamper with customer accounts or private information
Destroy any non-public data obtained during testing immediately after report submission

Failure to follow these guidelines may result in disqualification from this policy and legal referral depending on severity.

14. Reporting Vulnerabilities in Third-Party Services

If you discover a vulnerability in a third-party service used by LoadFlow (such as Stripe, Vercel, or DigitalOcean), we encourage you to report it directly to that provider through their own responsible disclosure program.

LoadFlow cannot accept responsibility or coordinate disclosure for platforms we do not control. We may, however, assist in verifying that LoadFlow systems were unaffected.

15. Language & Submission Format

All reports must be submitted in English and in a clear, organized format. Please include steps to reproduce, affected components, and any relevant logs or headers. We accept reports by email only. Please do not contact us via social media, chat platforms, or public repositories.

16. Expected Researcher Conduct

LoadFlow expects all researchers participating in this program to:

Act in good faith and within legal and ethical bounds
Maintain confidentiality of any sensitive data discovered
Cooperate professionally throughout the disclosure process
Respect user privacy and platform availability at all times

We reserve the right to deny protection under this policy if researchers violate these principles or act maliciously.

17. Policy Scope and Changes

LoadFlow may update this Responsible Disclosure Policy at any time. We encourage researchers to check back regularly for changes. Any updates will take effect upon publication.

Continued testing after a change is posted constitutes acceptance of the updated rules.

18. Contact Information

Email: security@loadflowlogistics.com
Legal Support: legal@loadflowlogistics.com
Entity: LoadFlow Logistics LLC
Jurisdiction: State of Wyoming, United States