Skip to content

Bug Bounty

Report a Security or Privacy Vulnerability

Adminflow’s Bug Bounty Policy applies to security vulnerabilities discovered within our public-facing online environment. We encourage responsible disclosure to help us maintain high security standards.

Purpose

The purpose of this Policy is to establish clear guidelines for reviewing, evaluating, applying, and verifying system updates to address vulnerabilities in our IT environment. If you believe you've identified a security or privacy vulnerability in the Adminflow product, please report it to us.

Disabling Cookies

You can prevent cookies from being set by adjusting your browser settings (refer to your browser's Help section for guidance). Please note that disabling cookies may affect functionality on this and other websites, and it is generally recommended not to disable cookies for optimal site performance.

Bounty Eligibility

Security researchers are required to avoid any destructive actions that may result in:

  • Data loss for other users
  • Service disruptions (Denial of Service)
  • Placement on any block lists

If you suspect such vulnerabilities, please report them to the Adminflow development team.

Severity Levels

We classify vulnerabilities based on their potential impact, helping us prioritize fixes and determine appropriate rewards. Our severity levels include:

  • SEV-1 (Low Severity): No current exploit, but a potential vulnerability.
  • SEV-2 (Medium Severity): Minor impact on system operations, such as limited data access.
  • SEV-3 (High Severity): Significant impact or circumvention of access restrictions for certain data.
  • SEV-4 (Critical Severity): System-wide impact or unauthorized access to substantial data.
  • SEV-5 (Extreme Severity): Complete, undetectable access to the system.

Examples of Vulnerabilities by Severity

  • SEV-1: HTML/URL injection, open redirects
  • SEV-2: DOS attack potential; unauthorized access to internal tools
  • SEV-3: Attacker can link clients via IDOR
  • SEV-4: Unauthorized access to delete user invoices via IDOR
  • SEV-5: Complete account takeover through arbitrary code injection

Protecting Our Clients from Phishing

Adminflow is committed to protecting clients from phishing attacks, which are attempts to trick users into revealing sensitive information. Phishing emails often mimic legitimate sources but can contain subtle errors, a sense of urgency, or generic greetings. Please avoid clicking any links or attachments if you suspect a phishing attempt.

Reporting Phishing Attempts

Reports of phishing attempts are not eligible for our Bug Bounty program, as the program focuses on identifying vulnerabilities within the Adminflow platform itself.

Program Rules

We only award bounties for original reports. If a duplicate report is filed, we will notify you of the first registered report.

Ineligible Reports

  • Third-party services not under our control
  • Physical access requirements
  • Exploits on outdated software/hardware
  • Social engineering or phishing attacks
  • General recommendations without a specific exploit

How to Report Security or Privacy Vulnerabilities

If you believe you've discovered a vulnerability affecting Adminflow's software, services, or web servers, we welcome your report. Security researchers, developers, and customers are all encouraged to contribute.

To report a vulnerability, please include videos, crash logs, or system diagnostics in your submission. We will acknowledge your report upon receipt and may reach out for more information within 10 business days.