Email security@flo.finance with a description, reproduction steps, and impact. We acknowledge within one business day and triage within three.

Please do not file public GitHub issues for security reports.

This is a demo repository. Vulnerabilities in the demo code are in scope; vulnerabilities in the upstream Flo API or SDK are tracked separately and may be eligible for the Flo bug bounty (up to $500K for critical smart-contract findings).

Good-faith research that respects user data, avoids service disruption, and reports findings to security@flo.finance qualifies for safe harbor under our coordinated disclosure policy.