Security Policy
Last updated 30 July 2025.
Introduction
Factor House develops real-time data management tools, including Kpow, Flex, and Factor Platform. We are committed to protecting our users' data and systems through responsible security practices.
1. Reporting a vulnerability
Security researchers should report vulnerabilities to [email protected]. Reports should be detailed and human-verified, and include:
- Your contact details and organisation
- The vulnerability category (e.g. XSS, SQL injection)
- Affected product and version information
- An impact assessment and reproduction steps
- A proof-of-concept, where available
- PGP encryption of the report, if preferred
2. In-scope systems
Kpow web UI/API, Flex platform, Factor Platform, public-facing applications, and official Docker repositories.
3. Out-of-scope systems
Third-party services and customer deployments fall outside the coverage of this policy. Factor House software products are self-managed by customers within their own infrastructure.
4. Safe harbor
Good-faith researchers receive legal protection under applicable laws, DMCA exemptions for security research, and terms waivers.
5. Response process
Factor House acknowledges vulnerability reports within 2-3 business days. We investigate internally, provide status updates, remediate confirmed issues, and notify researchers upon resolution. Researchers may optionally be recognised publicly for their contribution. We do not currently offer a monetary bug bounty program.
6. Coordinated disclosure
We ask that researchers provide reasonable notice before any public disclosure, allowing sufficient time for remediation.
7. Contact information
Contact: [email protected]