lavie
Start
§ Security

Vulnerability Disclosure Policy

Last updated: 18 May 2026 · Version 1.0 · Version française

You found a vulnerability on Flavie. Here is how to report it, what we cover, and what we owe you in return.

Flavie is committed to preserving the data security and privacy of its users. We rely on the security research community to help us identify and fix vulnerabilities. This page describes the scope, rules of engagement, reporting process, and our commitments to researchers who act in good faith.

Guidelines for security researchers

We ask security researchers to:

  • Notify us as soon as possible after discovering a real or potential security issue, at security@flavie.me.
  • Allow us a reasonable amount of time to investigate and remediate the issue before disclosing it publicly. We commit to acknowledging your report within 3 business days and providing a status update at least every 7 days until resolution.
  • Avoid privacy violations: do not access, modify, or delete data belonging to other Flavie users. Use only test accounts you control.
  • Avoid service disruption: do not perform actions that degrade the user experience, exhaust system resources, or harm production systems.
  • Use exploits only to the minimum extent necessary to confirm the vulnerability's presence. Do not pivot to other systems, escalate privileges beyond what is needed for proof-of-concept, or maintain persistence.
  • Stop and report immediately if you encounter sensitive data (personal data, financial information, OAuth tokens, secrets, source code that is not public). Keep any data you incidentally accessed strictly confidential and delete it as soon as the report has been acknowledged.
  • Do not submit a high volume of low-quality reports, automated scanner outputs without analysis, or duplicate reports for the same root cause.

Authorization and safe harbor

Security research carried out in conformity with this policy is deemed authorized. Flavie will not initiate or support legal action against researchers who act in good faith and within the boundaries described herein. We will treat your activity as legitimate research and not as an attack.

If you are unsure whether a planned activity falls within this policy, please email security@flavie.me first.

Scope

This policy applies to the following systems and services operated by Adrien Savalle for Flavie:

  • The public website https://flavie.me and all its subpaths.
  • The API gateway https://api.flavie.me (FastAPI, Meta WhatsApp Cloud API webhook, Stripe webhook, Google OAuth callback).
  • The owner dashboard https://app.flavie.me (Jinja2 templates, magic-link authentication).
  • The URL shortener https://flav.ist (Cloudflare Workers).
  • The Flavie conversational service accessed through the WhatsApp shared number +33 7 68 99 74 90 (Meta Cloud API).
  • The Google Workspace Drive account flavie@flavie.me and the service account flavie-drive-writer@flavie-494217.iam.gserviceaccount.com that operates within it.

Out of scope

Any third-party service that Flavie integrates with but does not own: Anthropic, OpenAI, ElevenLabs, Deepgram, Mistral AI (Voxtral), Twilio, Google APIs (Drive, Gmail, Calendar, Contacts, Maps, Sheets, Docs), Microsoft 365 (Graph API — Outlook, OneDrive, Excel, Word, Calendar, Contacts), Strava, Apify (LinkedIn / Instagram), Meta WhatsApp Business Platform, Stripe, Scaleway, Cloudflare. Vulnerabilities in those should be reported directly to the respective vendor.

Vulnerabilities affecting the Flavie service through one of these third-party integrations (e.g. a logic flaw in how Flavie uses the Stripe webhook) are in scope and should be reported to us.

Types of testing that are not authorized

The following activities are prohibited under this policy, even against in-scope assets:

  • Network denial-of-service (DoS or DDoS) attacks.
  • Physical testing (office access, theft of devices, tailgating).
  • Social engineering, phishing, or pretexting against Adrien Savalle, sub-processors, or any third party.
  • Automated brute force against authentication endpoints (the magic-link login, OAuth flows).
  • Spamming the WhatsApp number or webhook endpoints with large volumes of synthetic traffic.
  • Any activity that violates French law, EU law, or international law applicable in the researcher's jurisdiction.

Reporting a vulnerability

Send your report by email to security@flavie.me. Reports may be submitted anonymously, although providing contact information allows us to follow up with questions and credit you (if you wish).

PGP-encrypted reports: if you require encryption, please first email security@flavie.me requesting our current PGP public key and we will reply with it.

Standard RFC 9116 security.txt also available.

Desirable information in your report

To help us triage and reproduce your report quickly, please include:

  • A clear description of the vulnerability and the impacted endpoint or feature.
  • The full URL, request, and response that demonstrate the issue.
  • Steps to reproduce: ideally a minimal proof-of-concept (script, curl command, or screen recording).
  • The expected impact (data exposure, privilege escalation, denial of service, etc.).
  • Any conditions required (specific browser, authenticated session, OAuth state).
  • Your name or handle if you wish to be credited in the hall of fame.

Reports in English or French are equally welcome.

Our commitments to you

When you submit a report:

  • Acknowledgement within 3 business days of receipt, at the email address you provided.
  • First substantive response within 7 business days, including our initial assessment (in-scope / out-of-scope, severity, expected remediation timeline).
  • Status updates at least every 7 days until the vulnerability is closed or you ask us to stop following up.
  • Public credit on flavie.me/security/hall-of-fame if you wish, after the vulnerability is fixed and you have given us consent to disclose your name or handle.
  • No legal action for activity that complied with this policy in good faith.

Coordinated disclosure

We follow a coordinated disclosure model. Once a fix is deployed, we are happy to coordinate with you on a public write-up. Default disclosure embargo: 90 days from the report date, extendable by mutual agreement if a fix requires more time. After embargo, the researcher is free to publish.

If the vulnerability is being actively exploited in the wild, we may publish a security advisory before the embargo expires: the researcher will be informed beforehand.

Hall of fame

Researchers who report valid in-scope vulnerabilities and consent to disclosure will be listed on the public page flavie.me/security/hall-of-fame. Pseudonym or real name, your choice.

Contact