Skip to main content
FleyeMapsBack to home

Vulnerability Disclosure Policy

Last updated: 2026-04-28

FleyeMaps welcomes reports from security researchers who help us keep the platform and our customers safe.

Reporting

Email security@fleyemaps.com with:

  • A clear description of the issue and its impact
  • Steps to reproduce (URL, request, payload)
  • Any proof-of-concept code
  • Your name or handle (optional) for credit

PGP is supported on request. We will acknowledge receipt within 2 business days and provide a remediation timeline within 5 business days of validation.

Safe harbor

If you make a good-faith effort to comply with this policy during your research, we will:

  • Not pursue or support legal action against you
  • Work with you to understand and resolve the issue quickly
  • Recognize your contribution publicly if you wish

Good-faith research means:

  • You do not access, modify, or delete data that does not belong to you
  • You do not disrupt service for other users (no DoS, no spam, no fuzzing in production beyond what is necessary to demonstrate the issue)
  • You do not publicly disclose the issue before we have remediated it
  • You give us a reasonable window (typically 90 days) before disclosure

Out of scope

The following are not eligible:

  • Volumetric DDoS attacks
  • Social engineering of FleyeMaps staff or customers
  • Physical attacks against FleyeMaps offices or staff
  • Issues in third-party services we use (please report to the vendor — see our Sub-processor List)
  • Vulnerabilities in customer-supplied content (e.g. customer-uploaded webhook URLs, custom domains they control)
  • Best-practice findings without a demonstrated exploit (missing CSP headers on static pages, etc.)

Bounty

We do not currently run a paid bug bounty program. Significant findings will be publicly recognized in our Security Hall of Fame unless you ask to remain anonymous.

Contact: security@fleyemaps.com