Skip to main content
Security

security policy & bug bounty

storyflo treats security reports as a first-class signal. The faster a real-world researcher finds an issue, the faster every listener and publisher on the platform is safer. This page is the canonical source — quote it in any disclosure correspondence.

reporting a vulnerability

Pick whichever channel is easier for you. Email is preferred.

Please do not disclose publicly until we've confirmed a fix is live on production.

response SLA

stagetarget
initial human acknowledgement24 hours (09:00–18:00 PT, Mon–Fri)
triage outcome3 business days
critical fix (RCE, full-DB read, auth bypass)7 days
high fix (privilege escalation, data leak)30 days
medium / low fix90 days

Critical reports outside business hours route to on-call via Telegram and are still acknowledged within 24h.

safe harbor

We won't pursue legal action against good-faith research that:

  1. targets only storyflo.com production surfaces;
  2. does not access, modify, or delete data belonging to other listeners or publishers (other than your own test accounts);
  3. does not degrade availability — no DoS, no resource-exhaustion "tests";
  4. reports privately and gives us reasonable time to fix before disclosing publicly.

If a finding requires you to bend rule (2) to demonstrate impact, stop and email us first — we'll grant explicit written permission for the specific demonstration.

reward / acknowledgement

We do not currently run a paid bug-bounty program. We commit to:

  • public credit in the security advisory + thank-you in our changelog for any valid finding (pseudonymous OK)
  • discretionary swag (storyflo brand kit) for the first 25 valid reports
  • paid program commitment within 6 months of public launch — researchers who report during the pre-bounty window will be retroactively rewarded for valid critical / high findings

hall of fame

(empty — be the first)

Code is BSL 1.1 (storyflo, storyflo-inference) or MIT (storyflo-sdk). Reports themselves carry no license obligation. See terms + privacy.