Policy

Your privacy and data security are crucial to us at Akiflow, and we constantly work to identify weaknesses in our technology.

The responsible disclosure of security vulnerabilities helps us ensure the security and privacy of our systems, our customers and their data.

If you believe you've found a security issue in our product or service, we encourage you to notify us. We welcome working with you to resolve the issue promptly.

Disclosure Policy

• Let us know as soon as possible upon discovering a potential security issue, and we'll make every effort to resolve the problem quickly.
• Please provide us with a reasonable amount of time to resolve the issue before any disclosure to the public or a third party.
• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the explicit permission of the account holder.

While researching, we'd like to ask you to refrain from:

• Denial of service
• Spamming
• Social engineering (including phishing) staff or contractors
• Any physical attempts against Akiflow property or data centres

Scopes

Services under (or a sub-domain of) the domains:

• akiflow.com
• web.akiflow.com
• api.akiflow.com
• The Akiflow desktop client

Bounty program

Currently, Akiflow does not officially ensure any bounty for found bugs, but if you believe you've found a security issue with Akiflow, please tell us so we can address it. Your efforts may be eligible for a monetary reward.

You may be eligible for a monetary reward if you are the first person submitting a bug and you comply with all the rules listed in this document.

Out-of-scope vulnerabilities

• Anything that's on any domain different than akiflow.com, app.akiflow.com and api.akiflow.com and the desktop client.
• Dynamic XSS, unless chained with other exploits.
• Open redirect issues unless chained with other exploits.
• Network-level Denial of Service (DoS/DDoS) attacks
• Spam-related issues
• Issue affecting third parties (Chargebee, Intercom, postmark, etc.)
• UI and UX bugs (i.e., copy errors, spelling mistakes)
• Other non-security related bugs
• Findings from physical testing (i.e., at offices, following employees, etc.)

Feel free to reach out to report the problems mentioned above, but most likely, we will not recognize any monetary reward for it.

How you should behave while looking for bugs

• Delete any test data or accounts you have created as part of the research. (if possible)
• Don't attack or interact with end-users.
• Don't engage with stolen user data, including credentials.
• Don't use social engineering attacks, such as phishing.

Reporting

If you believe you have found a security vulnerability, please report it by emailing support@akiflow.com.

• Please include a detailed description and potential impact of the vulnerability with the steps required to reproduce the vulnerability, highlighting the security impact. (POC scripts, screenshots and videos are all helpful).
• Your submission should include instructions for reproducing the vulnerability (written or video). Reports without clear reproduction steps may be ineligible for a reward.

Security Hall of Fame

In our 🏆 Security Hall of Fame, you can find a list of people who helped Akiflow improving its security.