Back to AcqFlo

Security & Vulnerability Disclosure

Last updated: May 10, 2026

Reporting a vulnerability

If you believe you have found a security vulnerability in AcqFlo, please email help@acqflo.com with the subject line “Security: [brief description].” We acknowledge reports within 2 business days and aim to resolve confirmed issues as quickly as possible based on severity.

Please include enough detail to reproduce the issue: a description of the vulnerability, the affected URL or endpoint, steps to reproduce, and the impact you observed. If you have a proof-of-concept, attach it.

Scope

The following are in scope:

  • The AcqFlo application at acqflo.com
  • The AcqFlo API and Outlook Add-in
  • Authentication, authorization, and tenant-isolation issues

The following are out of scope:

  • Denial-of-service or volumetric attacks
  • Social engineering of AcqFlo employees or customers
  • Physical attacks against infrastructure providers
  • Issues in third-party services (Supabase, Vercel, Microsoft, Anthropic) — please report those directly to the respective vendor
  • Findings from automated scanners without a working proof of concept
  • Missing security headers without demonstrated impact

Safe harbor

We will not pursue legal action against researchers who report vulnerabilities in good faith and follow this policy. Specifically, we ask that you:

  • Do not access, modify, or delete data belonging to other customers
  • Do not disrupt service availability
  • Use only test accounts you own to reproduce issues
  • Give us a reasonable opportunity to fix the issue before public disclosure
  • Do not extort, threaten, or demand payment in exchange for disclosure

Disclosure timeline

We aim to acknowledge reports within 2 business days, triage within 5 business days, and resolve critical or high-severity issues within 30 days. We will keep you informed of progress and notify you when the issue is resolved. We support coordinated disclosure and welcome public write-ups once a fix is released.

Recognition

AcqFlo does not currently operate a paid bug bounty program. With your permission, we are happy to acknowledge your contribution publicly when a fix is released.

Machine-readable contact

Our security.txt file follows RFC 9116.

Contact

help@acqflo.com