Security and responsible vulnerability disclosure

1. Security measures

• Transport encryption TLS 1.2+ between client and servers.
• Password hashing with bcrypt; constant-time flow on login as protection against timing-based enumeration.
• Rate-limiting of login and sensitive API endpoints.
• Separate production and development environments.
• Regular database backups with a retention of at least 30 days.
• Logging and audit trails for sensitive operations (logins, FC withdrawals, password changes).
• Principle of least privilege for internal access.

2. Responsible disclosure

The Operator welcomes responsible reporting of security vulnerabilities. For researchers who follow this policy, the Operator guarantees that it will not take legal action under §§ 230 and 231 of the Criminal Code.

3. Rules for researchers

• Do not access data of other users, except for your own test account.
• Do not carry out DoS/DDoS, do not conduct social engineering against employees, do not interfere with physical infrastructure.
• Do not publish the vulnerability before the agreed deadline (embargo typically 90 days from reporting or as agreed).
• The report must contain a sufficient description, reproduction steps and impact.

4. Safe Harbor

A researcher acting in good faith and in accordance with the rules above is guaranteed that their conduct will be treated as an authorised security test. The Operator waives the right to pursue sanctions against such a researcher, provided no harm to user data has occurred.

5. Incident notification to users

In the event of a personal data breach posing a risk to users, the Operator will report the incident to the Czech Data Protection Authority (ÚOOÚ) within 72 hours (Art. 33 GDPR) and to the affected data subjects without undue delay (Art. 34 GDPR), where required by law.

6. Operator contact

Prexima Reality s.r.o., Nad obcí I 2110/29, 140 00 Prague 4 - Krč. General inquiries: info@flipking.cz.