This file is org-wide. Unless a specific repo overrides it with its own
SECURITY.md, these rules apply to every flytohub/* project.
Please do not open a public issue for security bugs.
- π§ security@flyto2.com β preferred
- π GitHub private vulnerability reporting is enabled on every repo:
navigate to
Security β Report a vulnerabilityon the repo page
Include, when you can:
- The repo + version (commit SHA or release tag) you reproduced on
- A minimal reproducer (or a sanitised PoC)
- What you believe the impact is
- Whether you've contacted anyone else about this
We'll acknowledge within 24 hours and give you a triage verdict within 72 hours. We aim to ship a fix and disclose within 90 days.
In scope:
- Any source under
flytohub/* - Our hosted services:
flyto2.com,cloud.flyto2.com,cortex.flyto2.com,docs.flyto2.com - Our desktop builds published on
flyto2.com/app.html
Out of scope (do not probe):
- Third-party SaaS we integrate with (Firebase, Cloud Run, Stripe, etc.)
- Social-engineering attacks against team members or customers
- Physical attacks against our offices
- DoS / volumetric attacks
- Findings that only impact unsupported browsers / OS versions
We don't currently run a paid bounty program, but we credit every reporter who follows this policy in the release notes of the fix (opt-out available). Repeat reporters of high-quality findings get priority triage.
A few things can look like leaked credentials but are expected-public:
- Firebase Web API keys (
AIza...) andgoogle-services.json/GoogleService-Info.pliston mobile: these identify the project but enforcement lives in Firebase Security Rules + domain allowlist. Official Firebase guidance. - OAuth client IDs (not secrets) in frontend
.env.example - Public GCP project IDs β infrastructure identifiers, not secrets
If you're unsure, report it β we'd rather review a false positive than miss a real one.