FLIK Security
Security is a shared responsibility.
Introduction
FLIK is an Indonesian fintech platform enabling seamless payments and financial services for businesses and consumers. We believe that security is fundamental to earning and maintaining the trust of our users, partners, and the broader ecosystem.
We invite security researchers, ethical hackers, and the broader security community to help us identify and address vulnerabilities in our systems. This responsible disclosure policy outlines how we work together to keep FLIK and our users safe.
Responsible Disclosure Policy
This policy governs how security research should be conducted on FLIK systems and how findings should be reported to us. By participating in our responsible disclosure program, you agree to follow the guidelines outlined in this policy.
Systems in Scope
In Scope
| Asset | Type | Notes |
|---|---|---|
flik.co.id |
Web | Main landing site |
checkout.flik.co.id |
Web | Shopper checkout flow |
merchant.flik.co.id |
Web | Merchant dashboard |
api.flik.co.id |
API | Public-facing REST API |
| FLIK Android app | Mobile | Production build on Google Play Store |
| FLIK iOS app | Mobile | Production build on App Store |
Out of Scope
| Asset / Behaviour | Reason |
|---|---|
wiki.flik.co.id |
Internal documentation only |
abdidalem.flik.co.id |
Internal operations tool |
metabase.flik.co.id |
Internal analytics, VPN-gated |
*.useflik.com |
Development environment |
| Third-party vendors (Xendit, Midtrans, Cashlez) | Infrastructure not owned or operated by FLIK |
| Social engineering / phishing attacks on FLIK staff | Prohibited by policy |
| Physical security attacks | Out of scope |
| Denial of Service / volumetric attacks | Prohibited by policy |
| Automated scanning without prior written permission | Prohibited by policy |
| Any asset not listed in the In Scope table | Default out of scope |
Our Commitments
When you report vulnerabilities to us in good faith, we commit to:
- Acknowledge receipt of a valid report within 5 business days
- Keep the reporter informed of remediation progress throughout the process
- Work to remediate confirmed vulnerabilities within a reasonable timeframe, within operational constraints
- Extend safe harbour for research conducted in good faith under this policy
- Credit the researcher in the Hall of Fame upon request and with their explicit written consent
- Not initiate or support legal action against researchers for accidental, good-faith violations of this policy
Our Expectations
To participate in our responsible disclosure program, we expect researchers to:
- Submit reports only via
techteam@flik.co.id— no other channel is official - Not access, modify, or delete data beyond the minimum required to demonstrate the vulnerability
- Not perform tests that degrade or disrupt service availability (no DoS or DDoS)
- Not conduct automated, volumetric scanning without prior written permission from FLIK
- Only interact with test accounts they own or have explicit permission to use
- Provide a 90-day coordinated disclosure window before any public disclosure of the finding
- Not engage in extortion, ransom demands, or social engineering against FLIK staff or users
Safe Harbour
Research conducted in good faith under this policy is considered by FLIK to be:
- Authorised under applicable Indonesian law — FLIK will not initiate or support legal action for accidental, good-faith violations of this policy
- Authorised under relevant anti-circumvention law — FLIK will not bring claims for circumvention of technical controls
- Exempt from Terms of Service restrictions that would otherwise prohibit security testing, on a limited and specific basis
- Lawful, helpful to the security of the Indonesian fintech ecosystem, and conducted in good faith
Safe harbour applies only to legal claims under FLIK's direct control. Claims initiated by independent third parties are not covered by this policy.
Report a Vulnerability
Please send vulnerability reports to:
techteam@flik.co.idTo help us respond quickly and effectively, please include the following information in your report:
- Affected asset — URL, app name, or API endpoint where the vulnerability was found
- Vulnerability type — OWASP category or classification (e.g., SQL Injection, XSS, IDOR)
- Steps to reproduce — Numbered, detailed instructions that allow us to verify the issue
- Impact and severity assessment — What could an attacker achieve? How serious is this?
- Proof of concept — Screenshots, HTTP requests, curl commands, or video demonstrating the issue
- Suggested remediation — Optional but appreciated if you have recommendations
Please use the following subject line format:
We aim to acknowledge receipt within 5 business days and will keep you updated on our progress throughout the remediation process.