Vulnerability Disclosure Policy

Purpose

Flashquotes is committed to providing a secure platform for our users, including mobile event caterers who rely on our software for their daily operations. We recognize the importance of identifying and addressing security vulnerabilities promptly. By establishing this Vulnerability Disclosure Policy, we aim to encourage responsible disclosure of security issues and to work collaboratively with the security research community to enhance the security of our platform.

Scope

This policy covers vulnerabilities in the Flashquotes platform, including our web application, APIs, and related services. Specifically, the following are in scope:

• The main application at https://app.flashquotes.com
• All subdomains under flashquotes.com
• Our APIs used by the application

The following are out of scope:

• Third-party services or applications not directly managed by Flashquotes
• Vulnerabilities in user data or content, unless they directly affect the security of the Flashquotes platform

Safe Harbor

We appreciate the efforts of security researchers who responsibly disclose vulnerabilities. We will not initiate legal action against researchers who:

• Act in good faith
• Follow the guidelines in this policy
• Do not exploit or abuse vulnerabilities

Thank you for helping us keep Flashquotes secure.

Responsible Disclosure Guidelines

If you discover a potential security issue in our platform, we ask that you:

1. Report it privately by emailing us at security@flashquotes.com.
2. Provide detailed steps to reproduce the issue, including URLs, payloads, screenshots, or logs if applicable.
3. Allow us a reasonable time to investigate and remediate before any public disclosure.
4. Avoid accessing, modifying, or deleting any user data that is not your own.

We commit to:

• Responding quickly and confirming receipt of your report.
• Investigating the issue in good faith.
• Keeping you updated on our progress.
• Crediting you (with permission) if the report leads to a fix.

Recognition

We currently do not operate a formal bug bounty program. However, for verified, high-impact vulnerabilities, we may offer a modest discretionary reward or public recognition as a token of appreciation.

Unauthorized Testing

The following types of testing are not authorized under this policy:

• Denial of Service (DoS) or Distributed Denial of Service (DDoS) attacks
• Physical testing (e.g., tampering with hardware)
• Social engineering attacks on our employees

Engaging in these activities may result in legal action, regardless of whether a vulnerability is reported.

Contact Information

For any questions about this policy or to report a vulnerability, please contact us at security@flashquotes.com.