Log In
Overview
This Responsible Disclosure Policy applies to all companies within and associated to Fleximize which is part of the Alterium Group of Companies ((hereinafter referred to as "Fleximize", “we” or “us”) or Alterium Limited (referred to in this statement as ‘The Group’). The Alterium Group of Companies is made up of Alterium Limited (08621989), Fleximize Limited (07117447), Fleximize Capital Limited (09485920), Fleximize Services Limited (08871283), Fleximize Technology Services Limited (10381710) and Flexicard Limited (10223497). Approvity is a trading name of The Alterium Group.
Fleximize is committed to maintaining the security and integrity of our systems, products, and customer data. While we make every effort to ensure our platforms are secure, we recognize that vulnerabilities may still exist. We encourage responsible security research and welcome reports of potential security issues.
This policy together with any documents or links contained on this page, outline how security researchers can report vulnerabilities to us and what they can expect in return. It ensures a structured, lawful, and ethical approach to vulnerability disclosure, in line with industry best practices.
By submitting a report, you acknowledge and agree to the terms of this policy, along with our terms of use, and privacy policy.
Scope
This policy applies to security vulnerabilities that could impact the confidentiality, integrity, or availability of Fleximize’s:
- Websites, web applications, and APIs
- Customer and business data
- Infrastructure and network security
To be eligible for acknowledgment, vulnerabilities must be original, previously unreported, and in compliance with this policy.
Out of Scope: Certain activities and findings are outside the scope of this policy and must not be attempted. This includes, but is not limited to:
- Denial-of-service (DoS) attacks
- Brute-force attacks
- Physical or social engineering (including phishing) targeting Fleximize staff or contractors
- Any attempt to access, store, share, or delete Fleximize or customer data
- Automated scanning tools without manual verification
- Exploitation of vulnerabilities beyond what is necessary to demonstrate their existence
Confidentiality & Data Protection
All information about Fleximize systems, staff, or customers that comes into your possession as part of your security research must be treated as strictly confidential and not shared or used for any purpose other than reporting the vulnerability to us.
If you inadvertently access any personal data, you must immediately cease further exploration, report the issue, and follow all instructions provided by Fleximize. You must comply with all relevant data protection laws when reporting vulnerabilities.
How to Report a Vulnerability
If you discover a security vulnerability, you must submit a detailed report to [email protected]. Your report should include:
Report Section | Description
- Title: A concise summary categorizing the vulnerability (e.g. Reflected XSS on login page)
- Affected Asset: Web address, API endpoint, IP address, or application name
- Weakness Type: Classification of the vulnerability (e.g., OWASP Top 10, CWE reference)
- Severity: An assessment of risk (e.g., low, medium, high, critical) and CVSS score if available
- Description:
- Summary of the issue
- Supporting evidence (e.g., screenshots, logs, video recordings)
- Suggested mitigations or recommendations
- Steps to Reproduce:
- Clear step-by-step instructions
- Proof-of-concept code, if applicable
- Impact: Explanation of how the vulnerability could be exploited
- Your Contact Details (Optional): Name and email address
Do not include proof-of-exploit in plain text email if the vulnerability is still exploitable. If in doubt, please contact us before sending details.
What to Expect
- Acknowledgment: We will confirm receipt of your report within a reasonable timeframe.
- Investigation: If the vulnerability is valid and within scope, we will investigate it promptly.
- Resolution: If necessary, we will work on a fix and keep you updated on progress.
- Recognition: Eligible contributors may be added to our Hall of Fame (see Section 7).
Exclusions
We do not classify the following as valid security vulnerabilities:
- Automated vulnerability scanner output without manual verification
- Outdated browser security flaws (e.g., Internet Explorer <10)
- Lack of HTTP security headers (e.g., Content-Security-Policy, HSTS, X-XSS-Protection)
- Missing flags on cookies (e.g., HTTPOnly, Secure)
- CSRF token issues unless they lead to a demonstrable exploit
- Clickjacking unless significant risk is demonstrated
- Disclosures of non-sensitive public information (e.g., server type, internal IPs)
- Rate-limiting weaknesses
- Issues requiring social engineering, phishing, or other user-based interactions
Hall of Fame
Fleximize does not offer financial rewards for vulnerability disclosures. However, as a token of our appreciation, we may recognize security researchers who report valid issues in our Hall of Fame, where we will list their name and a single verified social media link of their choice (e.g., a LinkedIn profile or YouTube channel).
To request a modification or removal from the Hall of Fame, please email [email protected].
We’re proud to acknowledge the following individuals for their valuable contributions:
| Name | Web Link |
| Sebastian Kozieł | https://github.com/sebastiankoziel |
Legal Considerations
This policy aligns with UK laws, including but not limited to:
- The Computer Misuse Act 1990
- The General Data Protection Regulation (GDPR)
- The Data Protection Act 2018
- The Copyright, Designs and Patents Act 1988
Fleximize will not take legal action against security researchers who:
- Act in good faith
- Follow the guidelines set out in this policy
- Do not exploit or misuse vulnerabilities
- Refrain from accessing, storing, or modifying any sensitive data
By submitting a report, you agree that:
- Your research is conducted solely for security improvement purposes.
- Any shared information is owned by Fleximize and must not be disclosed without permission.
- You grant Fleximize the right to use, modify, and store any submitted reports.
- You will not engage in any activity intended to harm Fleximize, its customers, or its employees.
Fleximize greatly appreciates the contributions of ethical security researchers in helping us maintain the security of our services. If you have any questions or concerns regarding this policy, please contact [email protected].
Thank you for helping keep Fleximize secure.
These cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit.
If you do not allow these cookies you may not be able to use or see these sharing tools.