Security Policy

FolioOwl / EinsteinOwl LLC · Contact: [email protected]

We take the security of FolioOwl and our users' data seriously. This page outlines how we handle security vulnerabilities and what to expect if you discover one.

Reporting a Vulnerability

If you believe you have discovered a security vulnerability in FolioOwl, please report it to us responsibly by emailing [email protected] with the subject line "Security Vulnerability Report".

Please include:

A description of the vulnerability and its potential impact
Step-by-step instructions to reproduce the issue
Any relevant screenshots, logs, or proof-of-concept code
Your contact information so we can follow up

What to Expect

We will acknowledge your report within 48 hours
We will investigate and keep you informed of our progress
We aim to resolve critical vulnerabilities within 7 days and others within 30 days
We will notify you when the vulnerability has been fixed

Responsible Disclosure Guidelines

✓ Please DO: Report vulnerabilities privately before public disclosure. Give us reasonable time to fix the issue. Act in good faith and avoid accessing user data beyond what is needed to demonstrate the vulnerability.

✗ Please DO NOT: Publicly disclose vulnerabilities before we have addressed them. Access, modify, or delete user data. Perform denial-of-service attacks. Use social engineering or phishing against our users or staff.

Scope

This policy applies to the FolioOwl web application at folioowl.com and its subdomains. It does not apply to third-party services we use (Stripe, Render, etc.) — please report vulnerabilities in those services directly to those providers.

Security Measures in Place

All passwords are hashed using bcrypt with strong salt rounds
CSRF protection on all forms via Flask-WTF
HTTP security headers via Flask-Talisman (CSP, HSTS, X-Frame-Options, etc.)
Rate limiting on all sensitive endpoints (login, register, feedback)
HTTPS enforced on all connections
Session cookies are HttpOnly, Secure, and SameSite=Lax
File upload validation restricts types and sizes
Stripe handles all payment data — we never store card numbers

No Bug Bounty Program

We do not currently offer a paid bug bounty program. However, we deeply appreciate responsible security researchers who help keep our platform safe, and we will publicly acknowledge your contribution (with your permission) once a fix has been deployed.