Skip to content

Fluxer Bug Bounty Program #86

Closed
#87
Closed
Fluxer Bug Bounty Program#86
#87
Assignees
liss-bot
Labels
program-submissionsubmission-processedBot has parsed this submission and opened a PR
@adityaax

Description

@adityaax
adityaax
opened on May 25, 2026

Company

Fluxer

Program URL

https://fluxer.app/security

Contact

mailto:security@fluxer.app

Rewards

  • *bounty
  • *recognition
  • *swag

Program type

bounty

Status

active

Description

Fluxer may award a Bug Hunter badge and Fluxer Plutonium gift codes for valid reports.

Domains

*.fluxer.app
*.fluxer.gg
*.fluxer.gift
*.fluxerapp.com
*.fluxer.dev
*.fluxerusercontent.com
*.fluxerstatic.com
*.fluxer.media

Structured scope

In scope are Fluxer websites, applications, and services operated by Fluxer Platform AB, including fluxer.app, fluxer.gg, fluxer.gift, fluxerapp.com, fluxer.dev, fluxerusercontent.com, fluxerstatic.com, fluxer.media, and their subdomains. Infrastructure, systems, and operational services directly managed by Fluxer are also in scope when they affect authentication, authorisation, payments, community data, or security- or privacy-relevant data such as user identifiers, account metadata, logs, analytics, and telemetry.

Out of scope

Third-party services and infrastructure we do not control, including partner communities' independent integrations, bots, and external hosting providers.
Physical security
Social engineering
Phishing
Bribery
Coercion
Attempts to manipulate Fluxer staff or users are also out of scope.

DoS attacks
Traffic flooding
Resource exhaustion testing
Noisy automated scanning
Bulk testing without a clear impact
General UI bugs
Feature requests and ordinary support issues are out of scope
Application-layer DoS vulnerabilities that can be demonstrated with a single unauthenticated request or a small number of requests may be reported, but do not actively exploit them at scale.

Issues in forked, modified, or outdated self-hosted deployments are out of scope unless they are reproducible on the latest official release. Low-impact or theoretical findings, such as missing best-practice headers, are usually not prioritised unless you can show a realistic attack path and concrete security impact.

Minimum payout

No response

Maximum payout

No response

Currency

No response

Payout - critical

No response

Payout - high

No response

Payout - medium

No response

Payout - low

No response

Testing policy URL

No response

Excluded methods

  • dos
  • social_engineering
  • phishing
  • physical_access
  • automated_scanning

Requires account

None

Safe harbor

None

Allows disclosure

None

Disclosure timeline days

No response

Response SLA days

No response

Legal terms URL

No response

Hall of fame URL

No response

Swag details

No response

Reporting URL

No response

PGP key URL

No response

Preferred languages

English

Standards

Confirmation

  • I confirm the information is accurate and I have included only publicly documented program details.

Metadata

Metadata

Assignees

Labels

program-submissionsubmission-processedBot has parsed this submission and opened a PR

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions