Labs Support
EN SV

Vulnerability Disclosure Policy

Last updated: 2026-02-10

Report a vulnerability

security@ampliflow.com

Languages: English or Swedish

At a glance

Scope
*.ampliflow.com (all subdomains incl. app) and ampliflow.se
Contact
security@ampliflow.com
Acknowledgment
Within 3 business days
Triage
Within 10 business days
Safe harbor
Yes β€” no legal action for good-faith researchers
Disclosure
90-day coordinated disclosure

What we're looking for

We are interested in vulnerabilities such as:

  • Authentication bypass or session management flaws
  • Authorization bypass or broken access control
  • Cross-site scripting (XSS)
  • Cross-site request forgery (CSRF)
  • SQL injection and other injection attacks
  • Privilege escalation
  • Sensitive data or personal data exposure

What is NOT in scope

AI-generated reports are not accepted. In our experience, these produce false positives and waste time for both parties. Reports that are obviously AI-generated will be rejected without review.

Prohibited

The following activities are strictly prohibited and do not constitute valid security research:

  • Social engineering (phishing) against our employees or customers
  • Denial-of-service attacks (DoS/DDoS)
  • Spamming

Out of scope

The following do not qualify for rewards and are generally not reviewed:

  • Automated scan results without verified impact
  • Vulnerabilities in third-party software we don't control

How to report

Include in your report:

  • Type of vulnerability
  • Steps to reproduce
  • Potential impact
  • Your contact information for follow-up

Our process

Acknowledgment
Within 3 business days we confirm receipt of your report.
Triage
Within 10 business days we make an initial severity assessment.
Remediation
Confirmed vulnerabilities are prioritized by severity and fixed as soon as possible.
Follow-up
We keep you informed about the status.

Safe harbor

We will not take legal action against security researchers who:

  • Act in good faith and follow this policy
  • Report vulnerabilities directly to us before public disclosure
  • Do not exploit vulnerabilities beyond what is necessary to confirm them
  • Do not intentionally access or modify other people's data

Rules of engagement

  • Do not disrupt our services or harm users
  • Do not access, modify, or delete other people's data
  • Do not perform automated scanning without written permission
  • Follow all applicable laws

Reward program

We offer rewards for qualifying security reports, at our discretion. The amount depends on severity and report quality.

We're happy to list your name or alias in our acknowledgments if you wish.

Rewards are not available for: reports that don't follow this policy, already known vulnerabilities, or issues with negligible impact.

Coordinated disclosure

We practice 90-day coordinated disclosure. Do not publish details about a vulnerability until 90 days after we have confirmed it, or until a fix has been released β€” whichever comes first.

Contact

Cognit Consulting AB (AmpliFlow)
Security reports: security@ampliflow.com
General inquiries: info@ampliflow.com