Security & vulnerability reporting

If you've found a security issue in FloorRadar, we want to hear about it. This page covers how to report and what we commit to in return.

How to report

Use our contact form and select "Security issue." Include:

• What the issue is
• Steps to reproduce (or a working proof of concept)
• Your assessment of severity / impact
• Whether you've disclosed this anywhere else
• Whether you'd like credit for the report (optional)

You can also use the /.well-known/security.txt contact information per RFC 9116.

What we commit to

• Acknowledge within 2 business days. Real human reply, not auto-response.
• Assess severity within 5 business days. We'll tell you if it's critical, high, medium, or informational.
• Patch critical issues within 7 days. Lower-severity issues land on the next regular release cycle, usually within 30 days.
• Credit you publicly in the changelog if you want — opt-out is fine.
• No legal threats for good-faith research. If you're acting in good faith (no harm, no extortion, no public dumping), we won't sue you. Period.

Scope

In scope:

• floorradar.com and any subdomain we publish
• The mobile-web rendering of the same
• Auth flow, payment flow, data exposure / cross-tenant leakage

Out of scope:

• Third-party providers we work with (report directly to the upstream vendor for issues in their service)
• Social engineering of our users
• Physical security issues
• Attacks requiring a compromised user account that the user provided to you

What we WON'T do

• Threaten you with the CFAA or similar laws for testing in good faith
• Ignore your report
• Dispute findings without explaining why
• Publish your details without your consent

Bug bounty?

Not currently. We're a small team and a paid bug-bounty program isn't budgeted yet. We can offer credit + a thank-you in the changelog. As we grow, we'll add a formal bounty program. The lack of bounty doesn't change our commitment to respond and fix.

Internal security tracker

We maintain a public-facing security posture overview in the project's roadmap. Specific findings (open vs. resolved) are tracked internally and addressed on the cadence above.

Contact

Contact form · select "Security issue"