security policy & bug bounty
storyflo treats security reports as a first-class signal. The faster a real-world researcher finds an issue, the faster every listener and publisher on the platform is safer. This page is the canonical source — quote it in any disclosure correspondence.
reporting a vulnerability
Pick whichever channel is easier for you. Email is preferred.
- email — security@storyflo.com with subject prefix
SECURITY:+ brief title - GitHub Advisory — open a private advisory
- security.txt — /.well-known/security.txt (RFC 9116)
Please do not disclose publicly until we've confirmed a fix is live on production.
response SLA
| stage | target |
|---|---|
| initial human acknowledgement | 24 hours (09:00–18:00 PT, Mon–Fri) |
| triage outcome | 3 business days |
| critical fix (RCE, full-DB read, auth bypass) | 7 days |
| high fix (privilege escalation, data leak) | 30 days |
| medium / low fix | 90 days |
Critical reports outside business hours route to on-call via Telegram and are still acknowledged within 24h.
safe harbor
We won't pursue legal action against good-faith research that:
- targets only storyflo.com production surfaces;
- does not access, modify, or delete data belonging to other listeners or publishers (other than your own test accounts);
- does not degrade availability — no DoS, no resource-exhaustion "tests";
- reports privately and gives us reasonable time to fix before disclosing publicly.
If a finding requires you to bend rule (2) to demonstrate impact, stop and email us first — we'll grant explicit written permission for the specific demonstration.
reward / acknowledgement
We do not currently run a paid bug-bounty program. We commit to:
- public credit in the security advisory + thank-you in our changelog for any valid finding (pseudonymous OK)
- discretionary swag (storyflo brand kit) for the first 25 valid reports
- paid program commitment within 6 months of public launch — researchers who report during the pre-bounty window will be retroactively rewarded for valid critical / high findings
hall of fame
(empty — be the first)
