Bug Bounty Program

We aim to provide the best and safest user experience. In order to achieve that we take safety, security & privacy very seriously and we want to hold ourselves to the highest privacy and security standards. We put a lot of efforts into our software, infrastructure and process to keep it safe and secure for our users and ensure their data is secure.

At FlexiFunnels, Security & Privacy is our top priority.

We are excited for the opportunity to work with  the security community (bug hunter, security researcher, or a white hat hacker) to help keep our users, customers, employees, and business safe.

If you believe you have discovered a security issue that we should know about, we would love to work with you.
Please let us know about it and we'll make every effort to quickly correct the issue.
Send us a mail at javeed@flexifunnels.com

Rewards

Our rewards are based on the severity of a vulnerability. The FlexiFunnels Development team determines the severity of the vulnerability.

Eligibility

  - Submit/provide all the details to validate and reproduce the issue at javeed@flexifunnels.com
  - Must make a good faith effort to avoid impacting the service or the data contained in it.
  - Submit one vulnerability per report, unless you need to chain vulnerabilities to provide impact.
  - Must not violate any laws.

Responsible disclosure

  - Please do not discuss any vulnerabilities (even resolved ones) outside of the program without express consent from the FlexiFunnels team even after the bounty is paid. NOTE: Issuing a bounty reward does not necessarily mean that the issue has been fixed in production. Sometimes fixing the issue might take more time.

  - In case you find vulnerabilities that may negatively affect one or many of our users in any form, please refrain from exploiting it. Instead report to us immediately.

  - We expect you not to disclose the details or existence of the vulnerability until we fix the issue in production. 

  - Only use your own FlexiFunnels accounts for testing a vulnerability. The process should not negatively affect any of our other users accounts.

  - Only test for vulnerabilities. Do not engage in activities that lead to destruction, copying and/or exposure of data or resources in our system.

  - Do not attempt a DoS or DDoS even if you find a related vulnerability. You may report the same for confirmation instead.

  - Do not test using social engineering techniques

Vulnerability Categories

Vulnerability Type

- Privilege Escalation
- Leakage of Sensitive Data
- Payment Manipulation
- Cross-Site Scripting
- Subdomain Takeover
- SQL injections
- Server Side Request Forgery
- Authentication Bypass
- Insecure Direct Object Reference (IDOR)
- Directory Traversal
- Local File Inclusion
- Remote File Inclusion
- Cross-Site Request Forgery
- Remote Code Execution
- Information Disclosure
- Open Redirects
- Cross Origin Resource Sharing


Exclusions

- Social engineering
- HTML injection
- Unvalidated aka Open redirects or Tab nabbing
- Missing cookie flags on non-sensitive cookies
- Missing any best security practice that is not a vulnerability
- Attacks that require physical access to a user device
- Invalid or missing SPF/DKIM/DMARC/BIMI records
- Presence of EXIF information in file uploads
- Ability to upload/download executables
- Unvalidated findings from automated tools or scans
- Phishing risk via unicode/punycode or RTLO issues
- Clickjacking in unauthenticated pages or in pages with no significant state-changing action
- Logout or unauthenticated CSRF
- Self XSS
- Username or email address enumeration
- Email bombing
- XSS vulnerabilities on sandbox aka user-content domains
- Missing rate limitations on endpoints (without any security concerns)
- Missing security headers that do not lead directly to a vulnerability
- "Back" button that keeps working after logout
- Use of a known-vulnerable library (without evidence of exploitability)
- Low-impact descriptive error pages and information disclosures without any sensitive information
- Password and account policies, such as (but not limited to) reset link expiration or password - complexity

Note:

Here at Misfits Change Makers Private Limited, we make every effort possible to make sure that we accurately represent our products and services and their potential for income & results. Earning, income, and results statements made by our company and its customers are estimates of what we think you can possibly earn. There is no guarantee that you will make these levels of income and you accept the risk that the earnings and income statements differ by individuals. As with any business, your results may vary and will be based on your individual effort, business experience, expertise, and level of desire. There are no guarantees concerning the level of success you may experience.
The testimonials and examples used are exceptional results, which do not apply to the average purchaser and are not intended to represent or guarantee that anyone will achieve the same or similar results. Each individual’s success depends on his or her background, dedication, desire and motivation. There is no assurance that examples of past earnings can be duplicated in the future. We cannot guarantee your future results and/or success. There are some unknown risks in business and on the internet that we cannot foresee which can reduce results. We are not responsible for your actions. The use of our information, products and services should be based on your own due diligence and you agree that our company is not liable for any success or failure of your business that is directly or indirectly related to the purchase and use of our information, products and services.
This website is in no way affiliated to Facebook or any Facebook entities. Once you leave Facebook the responsibility no longer is on their site. If you have any questions feel free to use the contacts provided above to get in touch with our team.

Copyright © FlexiFunnels - All rights reserved.

Terms & Conditions | Privacy Policy