Skip to content
Legal

Security Policy

Last updated 30 July 2025.

Introduction

Factor House develops real-time data management tools, including Kpow, Flex, and Factor Platform. We are committed to protecting our users' data and systems through responsible security practices.

1. Reporting a vulnerability

Security researchers should report vulnerabilities to [email protected]. Reports should be detailed and human-verified, and include:

  • Your contact details and organisation
  • The vulnerability category (e.g. XSS, SQL injection)
  • Affected product and version information
  • An impact assessment and reproduction steps
  • A proof-of-concept, where available
  • PGP encryption of the report, if preferred

2. In-scope systems

Kpow web UI/API, Flex platform, Factor Platform, public-facing applications, and official Docker repositories.

3. Out-of-scope systems

Third-party services and customer deployments fall outside the coverage of this policy. Factor House software products are self-managed by customers within their own infrastructure.

4. Safe harbor

Good-faith researchers receive legal protection under applicable laws, DMCA exemptions for security research, and terms waivers.

5. Response process

Factor House acknowledges vulnerability reports within 2-3 business days. We investigate internally, provide status updates, remediate confirmed issues, and notify researchers upon resolution. Researchers may optionally be recognised publicly for their contribution. We do not currently offer a monetary bug bounty program.

6. Coordinated disclosure

We ask that researchers provide reasonable notice before any public disclosure, allowing sufficient time for remediation.

7. Contact information

Contact: [email protected]