Skip to main content
Flourish Paths

Security & Vulnerability Disclosure

Last updated: June 2, 2026

Flourish Paths is built on trust. If you have found a security issue, we want to hear from you and we will work with you to fix it. This page explains how to report a vulnerability, what is in scope, and what you can expect from us in return.

The Short Version

  • Email security@flourishpaths.com with the details and steps to reproduce.
  • We aim to acknowledge your report within 5 business days.
  • Report in good faith and we will not pursue legal action against you.

1. How to Report a Vulnerability

Send your report by email to security@flourishpaths.com. To help us act quickly, please include:

  • A clear description of the issue and its potential impact
  • Step-by-step instructions to reproduce it
  • The affected URL, page, or API endpoint
  • Any proof-of-concept code, screenshots, or request logs

You can also find this contact in our security.txt file, which follows the RFC 9116 standard.

2. What Is In Scope

  • The Flourish Paths web application at flourishpaths.com
  • Our public and authenticated API endpoints
  • Authentication, session handling, and access-control logic
  • Data exposure that lets one gardener read or change another gardener's data

3. What Is Out of Scope

The following are not eligible reports. Please do not test for them:

  • Social engineering, phishing, or physical attacks against our team or users
  • Denial-of-service attacks or any test that degrades the service for others
  • Automated scanning that generates heavy traffic
  • Reports from automated tools without a working proof of concept
  • Missing security headers or best practices with no demonstrated impact

4. Researcher Guidelines

We ask that you:

  • Only test against your own account and data. Never access, change, or delete another gardener's data.
  • Stop as soon as you confirm a vulnerability, and do not download more data than is needed to prove it.
  • Give us a reasonable amount of time to fix the issue before sharing it publicly.
  • Keep the details of any vulnerability confidential until we have resolved it together.

5. Safe Harbor

If you make a good-faith effort to follow these guidelines, we will treat your research as authorized. We will not pursue or support legal action against you for accidental, good-faith violations of this policy, and we will work with you to understand and resolve the issue quickly. If a third party brings legal action against you for activity that followed this policy, we will make it known that your actions were authorized.

6. Our Response Commitment

  • Acknowledgement: We aim to confirm we received your report within 5 business days.
  • Status update: We aim to give you a meaningful update on our progress within 30 days.
  • Resolution: We will let you know when the issue is fixed, and we are glad to credit you for the report if you would like.

7. Contact

For anything security related, reach us at: