Flymode 2.0 is On The Way to Launch
Stay Tuned
Trust & Security

Vulnerability Disclosure Program

Flymode values the security of our systems and the responsible disclosure efforts of the security research community.

Submit a Reportsecurity@flymode.io
01
Submit
02
Triage
03
Coordinate
04
Fix
Responsible Disclosure

Found a security issue? Tell us responsibly.

If you believe you have identified a security vulnerability affecting Flymode systems or applications, we encourage you to report it responsibly through our coordinated vulnerability disclosure process.

Submit a Report
Our Commitment

Safe Harbor

Flymode supports good-faith security research conducted in accordance with this policy.

Good Faith Commitment

We will not pursue legal action against researchers who follow this policy.

01

Act in good faith

02

Avoid privacy violations and service disruption

03

Do not access or modify customer data unnecessarily

04

Provide us reasonable time to investigate and remediate reported vulnerabilities

If you believe your testing may exceed these guidelines, please contact us before proceeding.

Reporting Guidelines

What makes a great report

A clear, complete report helps our team verify and remediate faster — and keeps researchers safe from misuse claims.

Please Provide
  • Clear vulnerability description
  • Reproduction steps
  • Impact assessment
  • Supporting evidence
  • Affected URLs / assets
Please Avoid
  • Denial-of-service testing
  • Spam / scanner floods
  • Social engineering
  • Accessing customer data unnecessarily
  • Destructive testing
  • Automated exploitation at scale
What We Cover

Scope

This program applies to production systems and services owned and operated by Flymode.

In Scope
  • Production web applications under *.flymode.io
  • Production APIs
  • Official Flymode mobile applications
  • Publicly accessible production infrastructure owned by Flymode
  • Electron POS
Out of Scope

Domains & Subdomains

  • *.flymode.in
  • #test#.flymode.io
  • #staging#.flymode.io
  • #dev#.flymode.io
  • #stag#.flymode.io

Activities & Environments

  • Staging, development, QA, testing, or temporary environments
  • Third-party services or integrations not controlled by Flymode
  • Social engineering or phishing attacks
  • Physical attacks
  • Denial-of-service testing
Known Ineligible

Out-of-Scope Vulnerabilities

Reports limited to the following classes are typically closed as informative. Submitting a working PoC that demonstrates real impact may still qualify.

Typically Ineligible Classes
22 items

Broken link hijacking

Low severity only

Google Maps API key exposure

No demonstrated impact

Clickjacking

Pages without sensitive actions

CSRF

Unauthenticated or non-sensitive actions

MITM or physical access attacks

Requires local access

Vulnerable libraries without PoC

No working proof-of-concept

CSV injection

No demonstrated impact

SSL/TLS best-practice issues

Configuration only

Important Notice

Disclosure Policy

Public disclosure is not permitted without explicit written authorization from Flymode.

Coordinating disclosure protects our customers while a fix is rolled out. Please wait for our written go-ahead before publishing any details, including blog posts, talks, or social media.

Need authorization?security@flymode.io

Submit a Report

All reports are handled confidentially. Email us directly — every report is acknowledged.

Submit a Reportsecurity@flymode.io
Every report is acknowledged within 2 business days
← Back to flymode.io