InnovationFlow is operated by Macrocyra UG (haftungsbeschränkt), Berlin, Germany. If you believe you have found a security vulnerability in any of our systems, we want to hear from you and will work with you to resolve it quickly.
Reporting a vulnerability
Email security@innovationflow.app. Encrypted email is available on request. To help us triage quickly, please include:
- A clear description of the issue and its potential impact.
- The affected URL, endpoint, or component.
- Step-by-step instructions to reproduce it (a minimal proof of concept is ideal).
- Any relevant logs, screenshots, or request/response captures.
Our machine-readable security contact is published at /.well-known/security.txt.
Scope
The following are in scope:
innovationflow.appandwww.innovationflow.app(this website).- The InnovationFlow application —
earlyaccess.innovationflow.app,app.innovationflow.app, and our staging/preview environments. - Our hosted API and integration endpoints, including the MCP server.
The following are out of scope:
- Vulnerabilities in third-party platforms we build on (for example Supabase, Vercel, or Microsoft). Please report those to the relevant provider; we're happy to help coordinate.
- Volumetric denial-of-service (DoS/DDoS) testing, or any high-rate automated scanning that degrades service for others.
- Spam, phishing, social engineering, or physical attacks against our staff, users, or offices.
- Reports generated solely by automated tools without a demonstrated, exploitable impact.
- Missing security headers, best-practice hardening, or software-version disclosure without a working exploit.
Guidelines for good-faith research
When researching, please:
- Only test against accounts and data that belong to you.
- Never access, modify, delete, or exfiltrate data belonging to other users — a proof of concept is enough to demonstrate a finding.
- Avoid any action that degrades, disrupts, or denies service to others.
- Keep findings confidential until we have had a reasonable opportunity to remediate them.
- Give us a reasonable time to fix the issue before any public disclosure — we suggest at least 90 days, and we're happy to coordinate timing with you.
Safe harbour
If you make a good-faith effort to comply with this policy during your research, we will consider your research to be authorised. We will work with you to understand and resolve the issue promptly, and we will not pursue or support legal action against you for your research. If a third party brings legal action against you for activity that was conducted in accordance with this policy, we will make it known that your actions were authorised.
What to expect from us
- We aim to acknowledge your report within 5 business days.
- We will keep you informed as we investigate and work toward a fix, prioritised by severity.
- With your permission, we are happy to publicly credit you once the issue is resolved.
Rewards
We do not currently run a paid bug-bounty programme. We are, however, genuinely grateful for responsible disclosure and are glad to acknowledge researchers who help us improve InnovationFlow's security.
Languages
You are welcome to report in English or German (Englisch oder Deutsch).
Security contact: security@innovationflow.app · security.txt