Flare raises $22 million in series C fundraising, and expands beyond HR into a full suite financial wellness solution. Read it here >>

Report Security Vulnerability – Flare

Flare is committed to resolving any issues that may compromise the security of our products and services as quickly as possible. We take security vulnerabilities very seriously and protecting customer data is one of our top priorities.

If you have discovered a security vulnerability, we would appreciate it if you could keep your findings confidential and disclose the relevant information to us in a responsible manner, as described below.

How to report a security vulnerability?

If you think you’ve found a security vulnerability in Flare products, services or online platforms, please contact us immediately via email and encrypt your report with our PGP key below:

Email contact: [email protected]

PGP Key: c8bf8a0c

Fingerprint: d060 0c78 450f 1e99 cecd 62d9 e473 6f09 c8bf 8a0c

What to include in the report?

Please provide as much detail as possible. In particular, we would appreciate the following:

  • An explanation of the security vulnerability
  • A list of the products and services that may be affected (versions where applicable)
  • Steps to reproduce the vulnerability
  • Proof-of-Concept code or software
  • Test accounts you have created
  • URLs, IP addresses or infrastructure associated with the vulnerability (if relevant)
  • Your contact information, such as your organisation and contact name for ongoing communication

Please also advise if you have communicated the vulnerability to CERT or other parties and provide us with any reference numbers.

Rules of engagement

Please do not:

  • Take advantage of a security vulnerability
  • Access, delete or modify Flare or client data
  • Publicly disclose a vulnerability until it has been resolved
  • Download more data than necessary to demonstrate a vulnerability
  • Attempt to break into customer accounts
  • Ask for compensation for your report
  • Use Social Engineering, Denial of Service or Phishing attacks

Excluded Issues

The following items are known issues or accepted risks and are out of scope for this vulnrability reporting program:

  • Clickjacking
  • SPF, DKIM, DMARC issues.
  • Missing additional security controls, such as HSTS or CSP headers.
  • Brute-force, / Rate-limiting, / Velocity throttling, and other denial of service based issues.
  • Any vulnerability found on the support.flarehr.com subdomain should be reported directly to Zendesk via their bug bounty program.

Next steps

Please maintain confidentiality and do not make your research public until we have completed our investigation and implemented patches or other mitigations.

The Flare security team will endeavour to contact you within 72 hours of you reporting the security vulnerability and keep you informed on our progress towards resolving the vulnerability. We will notify you when the security vulnerability has been patched or mitigated, and add your name to our acknowledgments page if your vulnerability is valid.

Acknowledgements

Flare would like to thank the following researchers who have helped us improve security through our responsible disclosure program:

  • Karl Aparece
  • Sakshi Patil
  • Kunal Narsale
  • Mohd Asif Khan
  • Akshay Parse
  • Shubham Panchal
  • Yukesh Kumar