Temporary Program Pause

Thank you for all of your reports to our bug bounty program! You may have noticed that we temporarily paused our program and are only offering a maximum $50 bounty. This is a short-term measure to allow us some time to respond to existing tickets and improve our process. We've made great progress on this initiative and we plan to return bounty amounts to the previous values at the beginning of 2026

FloQast Bug Bounty Program

At FloQast, we support partnerships with security researchers because they help to make our products and services more secure. Researchers play an important role by discovering vulnerabilities missed in our software development process. If you are a security researcher that has found a vulnerability, please report it to us. If the vulnerability is within the scope of our Bug Bounty Program, you may receive an award. Even if it is not covered under our Program, we may publicly acknowledge your contributions when we fix the vulnerability. FloQast looks forward to collaborating with the community to harden our security posture and help reach our goal of making FloQast the most secure accounting software on the market today!

The FloQast Bug Bounty Program is subject to the legal terms and conditions here.

NOTE: Authenticated testing is NOT in scope at this time. Please DO NOT request a demo of our product through https://www.floqast.com. These requests send unnecessary forms to our sales team and disrupts our basic operations. We expect to allow authenticated testing in early 2023, but we do not support this feature at this time. Any researcher who is found to have requested a demo will be removed from this program.

FloQast Bug Bounty Program Terms and Conditions

FloQast has partnered with HackerOne to facilitate its Bug Bounty Program (the "Program"). Our mission is to build an innovative Program that is mutually beneficial for all parties involved. The Program Terms and Conditions ("Terms") cover users' participation in the Program. By participating in the Program and submitting any vulnerabilities, you accept these Terms as written.

The Program allows users to submit vulnerabilities and exploitation techniques ("Vulnerabilities") to FloQast for a chance to earn rewards in an amount determined by FloQast ("Bounty"). Decisions made by FloQast regarding Bounties are final and binding, and this Program may be canceled at any time for any reason. FloQast may change these Terms at any time, and continued participation in the Program after the changes become effective mean agreement to the new Terms.

Rewards

Rewards are based on a custom algorithm that leverages the CVSS Score of the Vulnerability, as well as the technical and business impact of exploiting the Vulnerability. This algorithm is based on the OWASP Common Weakness Scoring System (CWSS).

Reports submitted using methods that violate these Terms will not be eligible for a reward. To be eligible for a reward, the report must be for Bounty eligible assets as defined in the scope section of these Terms.

Multiple reports describing the same Vulnerability against multiple assets or endpoints where the root cause is the same will be treated as one report.

While we aim for consistency, previous reports and prior Bounty amounts will not set a precedent for future report eligibility, severity, or payment. Understand that there could be submissions for which we accept the risk, have other compensating controls, or will not address in the manner expected. When this happens, we will act as transparently as we can to provide you with the necessary context as to how the decision was made.

Safe Harbor

Any activities conducted in a manner consistent with these Terms will be considered authorized conduct, and we will not initiate legal action against you. If legal action is initiated by a third party against you in connection with activities conducted under the Program and these Terms, we will make it known that your actions were conducted in compliance with the Terms of the Program. FloQast reserves all legal rights in the event of noncompliance with these Terms.

Any testing that involves the networks, systems, information, applications, products, or services of another party other than (FloQast), that third party may determine whether to pursue legal action. We cannot and do not authorize security research on any other entities outside of the FloQast organization. If legal action is initiated by a third party against you and you have complied with these Terms, we will take reasonable steps to make it known that your actions were conducted in compliance with these Terms.

Program Eligibility

You may participate in the Program if all the following apply:

• You are 14 years of age or older. If you are 14 years old or older, but you are considered a minor in your place of residence, you must obtain your parent's or guardian's permission prior to participating in the Program.
• You are either an individual researcher participating in your own capacity or you work for an organization that permits your participation. You are responsible for reviewing your employer's rules for participation.
• You reside in a country not under any U.S. sanctions or other country that does not allow participation in this type of Program.

To be eligible for a possible Bounty under the Program:

• You agree and adhere to the Program Rules and Legal terms as stated in these Terms.
• You are the first to submit a sufficiently reproducible report for a Vulnerability.
• You are available to supply additional information, as needed by our team, to reproduce and triage the issue.

FloQast employees and contractors, or those working at FloQast within six months prior to participation in the Program and their immediate family members (parent, spouse, sibling, child) or household members, or anyone involved in any part of the development, administration, or execution of this Program are not eligible for rewards in this Program.

Publicly-known Zero-day Vulnerabilities will not be considered for eligibility until more than 30 days have passed since patch availability. Out-of-scope Vulnerability reports or reports that are technically reproducible but pose a very low security impact are likely to be closed as Informative.

All payments will be made in compliance with applicable law, and FloQast disclaims all liability for disputes arising between an employee and their employer related to this Program.

For Public Sector Employees: Public sector employees (government, education, etc.) may participate subject to the above, but all Bounties will be awarded directly to your public sector organization.

Program Do's and Don'ts

Do

• Read and abide by the Program's Terms.
• Perform testing using only accounts that are your own personal/test accounts or an account that you have explicit permission from the account holder to utilize.
• STOP testing if you believe your actions will have a negative impact on customers and the services they depend on.
• STOP testing if you are unsure about the impact it may have on our systems. If you think you may cause, or have caused, damage with testing a Vulnerability, report your initial finding(s) and request authorization to continue testing.

Do NOT:

• Do not do anything illegal or engage in activity that could be harmful to you, the Program, or others.
• Do not Brute force to gain credentials or guess credentials to gain access to systems.
• Do not participate in denial-of-service attacks or attacks that interrupt or degrade our service.
• Do not upload shells or create a backdoor of any kind.
• Do not engage in any activity that is false or misleading.
• Do not share inappropriate content or material.
• Do not engage in any form of social engineering of FloQast employees, customers, or vendors.
• Do not engage or target any FloQast employee, customer, or vendor during your testing.
• Do not do anything that would be considered a privacy violation or, cause destruction of data, or interrupt or degrade our service.
• Do not attempt to extract, download, or otherwise exfiltrate data that you believe may have PII or other sensitive data other than your own.
• Do not change passwords of any account that is not yours or that you do not have explicit permission to change. If ever prompted to change a password of an account you did not register yourself or an account that was not provided to you, stop and report the finding immediately.

Submission Review Process

Once a Vulnerability report is received, FloQast engineers will review the submission and validate eligibility. The review time will vary depending on the complexity and completeness of the submission, as well as on the number of other submissions received.

If FloQast determines that your submission is eligible for a Bounty, we will notify you of the Bounty amount and provide you with the necessary paperwork to process your payment, including tax forms. If you do not complete the required forms within the time-period listed on the notification message, FloQast will not provide payment.

If your submission qualifies for a Bounty, please note:

• You may not designate someone else as the Bounty recipient unless you are considered a minor in your place of residence. If you are eligible for this Program but are considered a minor in your place of residence, we may award the Bounty to your parent/legal guardian on your behalf and require them to sign all required forms on your behalf. The Bounty will be added to the taxable income of your parent/legal guardian.
• If you are unable or unwilling to accept your Bounty, we reserve the right to rescind it.
• If you accept a Bounty, you will be solely responsible for all applicable taxes related to accepting the payment(s).

Disclosure Policy

You may not discuss this Program or any Vulnerabilities (even invalid and resolved ones) outside of the Program without express written consent from the organization. If you are interested in sharing any information about your testing methodology related to a FloQast report, you must request permission on your report and you must receive written approval from a FloQast team member.

Violations of this Section could require that you return any Bounty paid and disqualify you from future participation in the Program.

Legal

FLOQAST, HACKERONE, AND OUR AFFILIATES MAKE NO WARRANTIES, EXPRESS OR IMPLIED, GUARANTEES OR CONDITIONS WITH RESPECT TO THE PROGRAM. YOU UNDERSTAND THAT YOUR PARTICIPATION IN THE PROGRAM IS AT YOUR OWN RISK. TO THE EXTENT PERMITTED UNDER YOUR LOCAL LAW, WE EXCLUDE ANY IMPLIED WARRANTIES IN CONNECTION WITH THE PROGRAM.

While FloQast does not claim ownership rights of your submission, by providing any submission you:

• Grant FloQast a non-exclusive, irrevocable, perpetual, royalty free, worldwide, sub-licensable license to use, review, assess, test, reproduce, modify, distribute, and otherwise analyze or use your submission.
• Agree to sign any documentation that may be required to confirm FloQast's rights granted above.
• Represent and warrant that your submission is your own work, that you haven't used information owned by another person or entity, and that you have the legal right to provide the submission.

FloQast reserves the right to modify the terms and conditions of this Program, and your participation in the Program constitutes acceptance of all terms. Please check this site regularly as we routinely update our Program terms and eligibility, which are effective upon posting. You can subscribe to receive email notifications when these Terms are updated.

Limitation of Liability and Arbitration

If you have any basis for recovering damages in connection with the Program (including breach of these Terms), you agree that your exclusive remedy is to recover from FloQast or any affiliates direct damages up to $100. You cannot recover any other damages or losses, including direct, consequential, lost profits, special, indirect, incidental, or punitive. You agree that any dispute that cannot be resolved directly with FloQast shall be resolved in binding arbitration before the American Arbitration Association ("AAA"), and you agree to not sue in court in front of a judge or jury.

Program Scope exclusions

The following are excluded from the Program:

• Leaked user credentials that don't seem to be associated with any vulnerability or data breach
• Findings with Social Engineering or Phishing as the primary impact
• Dangling S3 buckets in the CSP of newly deployed environments (We have policies and security controls in place to make sure they are claimed before customers are able to access the environment)
• Any attacks that do not target the FloQast web application using a web-based protocol
• Clickjacking on pages with no sensitive actions
• Cross-Site Request Forgery (CSRF) on unauthenticated forms or forms with no sensitive actions
• Attacks requiring MITM or physical access to a user's device
• Previously known vulnerable libraries without a working Proof of Concept
• Comma Separated Values (CSV) injection without demonstrating a Vulnerability
• Missing best practices in SSL/TLS configuration and Content Security Policy
• Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS
• Any activity that could lead to the disruption of our service (DoS), including but not limited to, inundating support services with invalid requests
• Lack of rate limiting
• Brute force attacks against unauthenticated endpoints
• Missing HttpOnly or Secure flags on cookies
• Missing email best practices (Invalid, incomplete or missing SPF/DKIM/DMARC records, etc.)
• Vulnerabilities only affecting users of outdated or unpatched browsers. Outdated is considered more than two stable versions behind the latest released stable version.
• Tabnabbing
• Issues that require unlikely user interaction by the victim

Frequently Asked Questions

HackerOne Resources:

• What is required when submitting a report?
• How do I make my report great?
• I submitted a report. Now what? I have questions.
• What causes a report to be closed as Informative, Duplicate, N/A, or Spam?

FloQast Q&A

** Q: Where can I find information about the expected permissions for user roles?** Our User Type Guide document lists permissions for each role: https://view-su2.highspot.com/viewer/01c338c990703de2e094f3977e9f7a44#1

Q: Can I get FloQast swag? FloQast does offer swag as a reward for some submissions. Swag is most commonly awarded for bug submissions that do not have a significant impact to warrant a Bounty, but is still found to be valuable to our engineering team.

Q: Can FloQast provide me with a pre-configured test account? At this time, FloQast does not support authenticated testing.

Q: What is an example of an accepted Vulnerability? Valid and accepted vulnerabilities would be the type of report that identifies a unique security impact on this program's specific scope. The report must also meet any submission criteria outlined in the policy, such as test plan instructions and a working proof of concept.*

Q: What if I found a Vulnerability, but I don't know how to exploit it? We expect that Vulnerability reports sent to us have a valid attack scenario to qualify for a reward, and we consider this to be a critical element of Vulnerability research. Reward amounts are decided based on the maximum impact of the Vulnerability, and the panel is willing to reconsider a reward amount, based on new information (such as a chain of bugs, or a revised attack scenario).

Q: How do I demonstrate the severity of the bug if I'm not supposed to snoop around? Please submit your report as soon as you have discovered a potential security issue. The panel will consider the maximum impact and will choose the reward accordingly. We routinely pay higher rewards for otherwise well-written and useful submissions where the reporter didn't notice or couldn't fully analyze the impact of a particular flaw.

Q: I found an outdated software (e.g. Apache or Wordpress). Does this qualify for a reward? Please perform due diligence: confirm that the discovered software had any noteworthy vulnerabilities, and explain why you suspect that these features may be exposed and may pose a risk in our specific use. Reports that do not include this information will typically not qualify.

Q: Who determines whether my report is eligible for a reward? The reward panel consists of members of the FloQast Security Team.

What happens if I disclose the bug publicly before you had a chance to fix it? Per our Terms, any Vulnerabilities discussed publicly will likely disqualify you from receiving a Bounty.

Q: My report has not been resolved within the first week of submission. Why hasn't it been resolved yet? Reports that deal with potential abuse-related vulnerabilities may take longer to assess, because reviewing our current defense mechanisms requires investigating how a real life attack would take place and reviewing the impact and likelihood requires studying the type of motivations and incentives of abusers of the submitted attack scenario against one of our products.

Q: I wish to report an issue through a Vulnerability broker. Will my report still qualify for a reward? We believe that it is against the spirit of the program to privately disclose the flaw to third parties for purposes other than to fix the bug. Consequently, such reports will typically not qualify.

Q: What if somebody else also found the same bug? You will qualify for a reward only if you were the first person to alert us to a previously unknown flaw.