Flux Learning
🛡️

Security Vulnerability Disclosure Policy

Guidelines for responsibly reporting security vulnerabilities

Our Commitment to Security

At Flux Learning, security is a top priority. We value the security research community and believe that responsible disclosure of security vulnerabilities helps us ensure the security and privacy of our users.

This policy outlines our expectations when working with security researchers, what you can expect from us, and the scope of systems covered by this policy.

How to Report a Vulnerability

If you believe you have found a security vulnerability, please report it to us using one of the following methods:

Primary Contact

Email: security@fluxlearning.com

For encrypted communication, please request our PGP key.

What to Include

Please include as much of the following information as possible:

  • Description of the vulnerability and its potential impact
  • Step-by-step instructions to reproduce the issue
  • Affected URL(s), parameters, or components
  • Screenshots or proof-of-concept code (if applicable)
  • Your assessment of the severity
  • Any suggestions for remediation
  • Your contact information for follow-up

Scope

In Scope

  • fluxlearning.com and *.fluxlearning.com
  • app.fluxlearning.com
  • api.fluxlearning.com
  • Flux Learning web application
  • Flux Learning API endpoints
  • Authentication and authorization mechanisms
  • Data storage and encryption
  • Session management

Out of Scope

  • Third-party services we integrate with (please report to them directly)
  • Social engineering attacks (phishing, pretexting, etc.)
  • Physical security issues
  • Denial of Service (DoS/DDoS) attacks
  • Automated vulnerability scanning without explicit permission
  • Issues in software or services not operated by Flux Learning
  • Issues that require physical access to a user's device
  • Issues affecting outdated browsers or operating systems

Qualifying Vulnerabilities

Examples of vulnerabilities we are interested in:

High Severity

  • • Remote code execution
  • • SQL injection
  • • Authentication bypass
  • • Privilege escalation
  • • Sensitive data exposure

Medium Severity

  • • Cross-site scripting (XSS)
  • • Cross-site request forgery (CSRF)
  • • Insecure direct object references
  • • Server-side request forgery (SSRF)
  • • Broken access control

Non-Qualifying Issues

  • Missing HTTP security headers that don't lead to a demonstrable exploit
  • Missing cookie flags on non-sensitive cookies
  • Clickjacking on pages with no sensitive actions
  • Self-XSS without a clear attack vector
  • Rate limiting issues that don't lead to security impact
  • Theoretical vulnerabilities without proof of exploitability
  • Username/email enumeration
  • Stack traces or error messages without sensitive data

Our Commitment to You

When you report a vulnerability in good faith, we commit to:

Acknowledgment

Acknowledge receipt of your report within 3 business days

Communication

Keep you informed about the status of your report

Remediation

Work to remediate confirmed vulnerabilities in a timely manner

Recognition

Credit you for your discovery (if desired) once the issue is resolved

Safe Harbor

Not pursue legal action against researchers acting in good faith

Responsible Disclosure Guidelines

To qualify for safe harbor protections, we ask that you:

  • Act in good faith and avoid privacy violations, data destruction, or service disruption
  • Only access data that is necessary to demonstrate the vulnerability
  • Do not exploit vulnerabilities beyond what is necessary to prove they exist
  • Do not access, modify, or delete data belonging to others
  • Do not perform denial-of-service attacks
  • Do not social engineer, phish, or physically attack our employees or infrastructure
  • Allow reasonable time for remediation before public disclosure (90 days recommended)
  • Comply with all applicable laws

Response Timeline

ActionTimeframe
Initial acknowledgmentWithin 3 business days
Severity assessmentWithin 10 business days
Status updatesEvery 2 weeks (or as needed)
Critical vulnerability fixWithin 7 days
High severity fixWithin 30 days
Medium/Low severity fixWithin 90 days

Recognition & Rewards

We believe in recognizing the valuable contributions of security researchers. For verified vulnerabilities, we offer:

  • Public acknowledgment on our Security Hall of Fame (with your consent)
  • Written recognition that you can use in your portfolio
  • Potential monetary rewards for critical vulnerabilities (determined case-by-case)

Note: We are evaluating the implementation of a formal bug bounty program. Contact us to discuss reward eligibility for your specific finding.

Contact Information

General Security Questions

Visit our Trust Center
Last Updated: January 2026