Flexion Vulnerability Reporting Policy

(Last updated: January 30, 2026)

Purpose

Flexion is committed to maintaining the security and privacy of our systems, applications, infrastructure, and client data. We recognize that the broader security research community provides a valuable service by identifying vulnerabilities in digital systems and responsibly disclosing them. The purpose of this policy is to provide a clear and transparent process for reporting vulnerabilities, define expectations for external researchers, and reinforce Flexion’s commitment to good-faith security collaboration.

Scope

This policy applies to all digital assets owned, operated, or managed by Flexion, including but not limited to publicly accessible web applications, APIs, cloud environments, and endpoint management platforms. Assets explicitly listed in our published security programs or hosted at flexion.us are included in scope unless otherwise noted.

The following categories are considered out of scope for this policy: physical security issues, social engineering tactics including phishing or impersonation of Flexion personnel, denial-of-service (DoS or DDoS) attacks, spam or brute-force attempts that result in service degradation, and vulnerabilities in systems not owned or controlled by Flexion (such as third-party vendors or open-source components without integration into Flexion-managed platforms).

Guidelines for responsible disclosure

Security researchers who believe they have discovered a vulnerability are encouraged to report their findings directly to Flexion’s Security Team at flexion-security@flexion.us. Reports should include a detailed summary of the issue, the affected asset (including IP address, hostname, or URL), and clear, reproducible steps that demonstrate the vulnerability. If available, researchers should also include screenshots, logs, or a proof-of-concept to assist in our evaluation.

Researchers must avoid accessing, modifying, or deleting any data that does not belong to them. Any testing conducted should not disrupt services or compromise user privacy. Researchers should not use automated scanners that might produce excessive traffic or unintentional service degradation. Exploiting a vulnerability to pivot within a system or access additional resources is strictly prohibited. Violating these principles may forfeit safe harbor protections.

Flexion requests that researchers allow a reasonable amount of time for triage and remediation before publicly disclosing any details of a vulnerability. Our standard window for resolution is 14 days from initial receipt of the report, although some issues may be addressed more quickly depending on their severity and impact.

What to expect from Flexion

Upon receipt of a vulnerability report submitted in good faith, Flexion’s Security Team will acknowledge the submission within five business days. All valid reports will be reviewed, investigated, and validated as quickly as possible. If further information is required to reproduce or verify the vulnerability, the reporting researcher will be contacted directly.

Flexion is committed to transparency with the research community. Where appropriate, researchers will receive regular updates on the status of their report, including any remediation steps underway.

Reporting instructions

To report a vulnerability, researchers should email flexion-security@flexion.us with the following information: a summary of the vulnerability, the affected system or component, detailed steps to reproduce the issue, and any supplemental materials such as logs, screenshots, or proof-of-concept code. All vulnerability reports and questions related to this policy should be directed to flexion-security@flexion.us.

Policy review and updates

This policy is reviewed periodically and may be updated to reflect changes in our systems, priorities, or legal obligations. The most current version will be made available on our website or through appropriate internal and external channels.