FlightCrewView

Vulnerability Disclosure Policy

Last updated: 2025-11-24

No bug bounty at this time; coordinated disclosure only.

Purpose & Scope

Flight Crew View (FCV) is a crew-facing mobile app, built by a pilot for crews, that helps pilots and flight attendants view schedules, layover information, messages, and more. FCV is a product of Flight Crew Apps, LLC.

We take the security and privacy of our users seriously and welcome responsible disclosure of vulnerabilities. This Vulnerability Disclosure Policy (VDP) explains how to report security issues to us, what is in scope, how we will handle your report, and the protections we offer to good-faith security researchers.

This policy covers security vulnerabilities in Flight Crew View’s applications and services as defined in the
in-scope section below. It does not cover airline-owned systems, portals, or networks.

We are continuously maturing our security and privacy controls but do not claim any formal compliance
certifications (such as SOC 2 or ISO 27001) at this time.

Authorization

If you make a good faith effort to comply with this policy and limit your testing to activities within its scope, we will consider your security research to be authorized. We will work with you to understand and resolve the issue quickly, and Flight Crew Apps, LLC will not initiate or recommend legal action against you for this research.

To the extent permitted by applicable law, we will not pursue civil or criminal action under anti-hacking laws (such as the Computer Fraud and Abuse Act or similar state laws) for good-faith, policy-compliant security testing.

If legal action is initiated by a third party against you for activities that were conducted in accordance with this policy, and we have sufficient information to validate that, we will make our authorization of your research known to that third party.

Guidelines

Under this policy, “research” means security testing activities in which you:

• Notify us as soon as possible after you discover a real or potential security issue.
• Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
• Only use exploits to the extent necessary to confirm a vulnerability’s presence. Do not use an exploit to compromise or exfiltrate data, establish persistent access, or pivot to other systems.
• Provide us a reasonable amount of time to resolve the issue before you disclose it publicly.
• Do not submit a high volume of low-quality reports (for example, automated scanner output without clear security impact or triage).
• Once you’ve established that a vulnerability exists, or encounter any sensitive data (including personally identifiable information, financial information, or proprietary information or trade secrets of any party), stop your test, notify us immediately, and do not copy, store, or disclose this data to anyone else.

In-Scope & Out-of-Scope

In-Scope Targets

This policy applies to the following systems and services:

  • Domains and APIs
    • *.flightcrewview.com
    • *.flightcrewview2.com
    • Backend APIs and application servers operated by Flight Crew View.
  • Mobile applications
    • Official Android (Flutter) app published by Flight Crew View.
    • Official iOS app published by Flight Crew View.
  • Web properties
    • Web applications, admin/support consoles, and marketing sites that we control under the domains above.

Architecture Context (for Researchers)

Authentication

  • SSO via Microsoft Entra ID (Azure AD) OIDC with PKCE and tenant-specific configuration. Airlines may enforce MFA via Conditional Access.
  • Non-SSO login via Firebase Authentication (email/password, Apple, Google). TOTP is supported for non-SSO accounts.
  • Attribute-based access control limits certain features (such as community airport/hotel tips search) to airline-associated accounts. Friends & Family accounts cannot search this database.

Schedule sources

  • Airline portal login (e.g., Flica) credentials are entered in-app and stored on the device only (iOS Keychain / Android Keystore) and are not stored on FCV servers; communication uses TLS directly to the airline site.
  • ICS imports and device calendar sync do not require credentials to be stored in FCV.

Hosting & security

  • Hosted in the United States on DigitalOcean (compute and managed database).
  • Cloudflare in front for DNS, CDN, WAF, and DDoS mitigation.
  • Admin and support consoles are behind Cloudflare Zero Trust with SSO, MFA, and least-privilege access.
  • Servers are firewalled with inbound access restricted to required ports; SSH is restricted to a single IP via VPN.
  • TLS 1.2+ is used for data in transit; provider-managed encryption at rest is used for databases, object storage, and backups.
  • Logging via structured server logs, Sentry (server/API), and Firebase Crashlytics (mobile), with sensitive fields scrubbed and only pseudonymous IDs sent to vendors.
  • Notifications via Firebase Cloud Messaging (FCM) with minimal payloads and no secrets.
  • Crew chat provided via Stream (getstream.io) as a sub-processor without ads or tracking.

Backups & retention

  • Daily backups are kept for approximately 180 days, with monthly backups retained longer and aged out over time.
  • Disaster recovery restores are tested at least twice per year, and we re-apply deletions as soon as practical after a restore.
  • Operations logs are retained for around 180 days (target). Account and flight logs are retained while an account is active; deletions from active systems typically occur within about 30 days, with older backups aging out over time.
  • For further details, please see our Privacy Policy: https://flightcrewview.com/privacy/ .

Out-of-Scope Items

The following are out of scope and must not be targeted:

  • Availability & volumetric attacks
  • Denial of Service (DoS) or Distributed DoS (DDoS) attacks.
    • High-volume automated scanning or fuzzing that degrades performance or availability.
    • Rate-limit bypass attempts that rely on large volumes of traffic.
  • Account & credential abuse
    • Credential stuffing using real-world leaked credentials.
    • Brute-force attacks against login endpoints or MFA mechanisms.
    • Attacks requiring stolen, rooted, or jailbroken devices, or bypassing device-level security controls.
  • Third-party services
    • Vulnerabilities in Cloudflare, DigitalOcean, Google (including Firebase/Auth/Crashlytics), Apple, Microsoft, Stream (getstream.io), or other third-party services.
    • These should be reported directly to the relevant vendor via their own disclosure programs, although we may coordinate with them as needed if a third-party issue affects Flight Crew View users.
  • Airline-owned systems
    • Airline portals (e.g., Flica) and any airline intranet, VPN, or corporate systems.
    • Scraping or automated interaction with airline websites beyond your normal, permitted use as a crew member.
    • Attempts to bypass airline network controls, VPNs, or SSO policies.
  • Social & physical vectors
    • Social engineering attacks against FCV staff, contractors, airlines, or other third parties.
    • Physical security attacks against any person, facility, or device.
  • Low-impact or speculative issues
    • Clickjacking or UI issues with no clear security impact.
    • Use of outdated libraries without a demonstrable exploit path.
    • Theoretical “what if” findings without a functioning proof of concept.
    • Self-XSS where the victim must paste code into their own console.

Rules of Engagement

These rules define the boundaries for permitted testing. Our authorization and safe harbor commitments apply only to testing that follows these rules and the scope defined in this policy.

To help us protect crew privacy and service availability, please follow these rules when testing:

  • Use your own accounts. Only test using accounts and devices you own or are explicitly authorized to use.
  • Do not exfiltrate real data. If you encounter personal data, stop and capture only minimal, redacted evidence.
  • Respect privacy and confidentiality. Avoid including sensitive personal data, real credentials, or secrets in your report where possible.
  • Avoid harm and disruption. Do not perform testing that materially impacts availability, integrity, or performance of our services.
  • Respect airline networks and systems. Do not attempt to bypass airline intranet/VPN controls or test airline portals and networks.
  • No malware or backdoors. Do not introduce persistent malicious code, ransomware, or backdoors.
  • Follow responsible disclosure timelines. Provide us a reasonable opportunity to remediate before publicly disclosing details; we request at least 90 days from initial acknowledgment unless we mutually agree otherwise.

How to Report a Vulnerability

Please send vulnerability reports to:

When reporting, please include where possible:

  • Your name or handle (you may remain anonymous or pseudonymous) and a working email address.
  • The affected domain, API endpoint, or app (Android/iOS/web), including version and OS details.
  • A clear summary of the issue and type of vulnerability.
  • Step-by-step reproduction instructions.
  • Proof-of-concept code, requests/responses, or screenshots demonstrating the impact (with data minimized and redacted where possible).
  • An assessment of potential impact and exploitability.
  • Your preferred coordinated disclosure timeline and whether you plan a public write-up.
  • If your report contains especially sensitive information, you may encrypt it using our PGP public key:
    https://flightcrewview.com/.well-known/pgp-key.txt

General support issues should go to support@flightcrewview.com, but security-specific reports should go directly to the security address above.

Note: No bug bounty is offered at this time; this is a coordinated disclosure program focused on protecting crews and improving security.

Response Targets (SLAs)

We will make a good-faith effort to meet the following targets for in-scope reports:

  • Acknowledgment: within 2 business days.
  • Initial triage: within 7 calendar days.
  • Status updates: at least every 7–14 days until remediation or a final decision.

Remediation Targets

  • Critical (CVSS ≥ 9.0): target fix or effective mitigation within 7 days.
  • High (CVSS 7.0–8.9): target fix or mitigation within 14 days.
  • Medium (CVSS 4.0–6.9): target fix or mitigation within 30–60 days.
  • Low (CVSS 0.1–3.9): target fix or mitigation within 90 days.

These timelines are goals, not guarantees. Actual timelines may vary depending on complexity, required coordination, and potential user impact. If we expect delays, we will keep you informed.

Credit & Acknowledgments

We appreciate responsible security research. For valid, non-trivial vulnerabilities reported in accordance with this policy,
we can offer optional public acknowledgment (for example, on a “Security Acknowledgments” page), if you wish.

You may choose to be credited under your name or handle, or to remain anonymous. There is no bug bounty and
no monetary reward associated with this program at this time.

Privacy & Data Handling for Reports

We treat vulnerability reports and associated data as confidential security information.

  • We use the information you submit only to investigate, reproduce, and fix the reported issue.
  • Access to your report is limited to FCV staff and contractors who need it for security operations, communication, or related legal/compliance functions.
  • Where necessary, we may share relevant technical details with infrastructure or service providers, or affected airlines, using minimal data and, where practical, with your knowledge.
  • We retain vulnerability reports for as long as necessary for security operations, auditing, and legal obligations, and aim to minimize personally identifiable information in these records.

For general information about how we process personal data, please see our Privacy Policy:
https://flightcrewview.com/privacy/.

Versioning & Changes

This policy may be updated from time to time to expand scope, refine rules of engagement, or adjust timelines. When we make changes, we will update the “Last updated” date at the top of this page and may provide a brief summary of key changes.

The current version of this policy is always available at:
https://flightcrewview.com/security.

Copyright © 2014-2025 Flight Crew Apps, LLC. All rights reserved.