Responsible disclosure.

If you've found a security issue in CartonFlow, we want to hear from you. This page tells you how to report it, what we'll do in response, and the legal protections we offer for good-faith research.

Last updated: May 2, 2026  ·  Effective: May 2, 2026

1. How to report

The fastest way to reach the security team is by email:

Please include in your report:

• A clear description of the issue and the asset affected (e.g. app.cartonflow.io/api/...)
• Steps to reproduce, or a proof-of-concept that doesn't access data belonging to other tenants
• Your assessment of impact (what an attacker could do)
• Whether you'd like credit, and the name to credit you under

2. Scope

3. Rules of engagement

To stay within this policy and our safe-harbor protections:

• Use your own test account. Don't probe with another customer's account, even with their permission.
• Don't access, modify, or delete data that isn't yours. Stop at the first indication of cross-tenant access and report it.
• Don't run automated scans against production. Tools like Nessus, Burp active scanner, or sqlmap against live tenants are not permitted. Manual or low-volume testing is fine.
• No DoS, no resource exhaustion, no spam.
• Don't publicly disclose until we've confirmed a fix or 90 days have elapsed (whichever is sooner), unless we agree to a different timeline together.
• Don't extort. We pay for confirmed bugs (see below). Threats of disclosure to extract payment terminate the safe-harbor.

4. What we promise in return

• Acknowledgment within 2 business days of receiving your report.
• Triage update within 5 business days with severity assessment.
• Fix timeline shared based on severity (see SLA below).
• Credit in our hall of fame if you'd like, after the fix ships.
• No legal action against good-faith research that follows this policy.

5. Remediation SLAs

• Critical (data exposure, account takeover, RCE): patch within 24 hours, public disclosure within 7 days post-fix.
• High (privilege escalation, sensitive info leak): patch within 7 days.
• Medium (limited-impact vulnerabilities): patch within 30 days.
• Low (best-practice deviations): patch on next scheduled release.

6. What happens after you report

1. Day 0–2: We acknowledge receipt and assign a tracking ID.
2. Day 2–5: Reproduce, triage, and confirm severity.
3. Day 5+: Patch development. We may ask clarifying questions or share a draft fix for you to verify.
4. Patch ships: We deploy the fix and notify you. If the issue affected customers, we send breach-notification emails per our 72-hour SLA.
5. Public credit: Once fixed, we add you to our security acknowledgments page (with your permission).

7. Safe harbor

CartonFlow will not pursue civil or criminal action against researchers who:

• Make a good-faith effort to comply with this policy
• Report vulnerabilities promptly
• Avoid privacy violations, service disruption, and data destruction
• Do not exploit the vulnerability beyond what's needed to demonstrate impact

If a third party brings legal action against you for activities conducted within this policy, we will make our position public on your behalf.

8. Recognition

We don't currently run a formal paid bounty program, but we offer discretionary recognition for confirmed, well-documented vulnerabilities — based on severity, exploitability, and report quality. Researchers who follow this policy are also publicly credited (with their consent) on our Trust Center.

A formal bounty program is on our roadmap as we grow.

9. Contact

For all security-related correspondence: [email protected]

For non-security questions, please use support.