[{"data":1,"prerenderedAt":73},["ShallowReactive",2],{"changelog-entry-\u002Fchangelog\u002F2024\u002F01\u002Fsecurity-updates":3},{"id":4,"title":5,"body":6,"description":60,"extension":61,"meta":62,"navigation":68,"path":69,"seo":70,"stem":71,"__hash__":72},"changelog\u002Fchangelog\u002F2024\u002F01\u002Fsecurity-updates.md","Security Updates",{"type":7,"value":8,"toc":56},"minimark",[9,21,24,27,30,43,46,49],[10,11,12,13,20],"p",{},"As part of our dedication to providing a secure platform for our customers, we\noperate a ",[14,15,19],"a",{"href":16,"rel":17},"https:\u002F\u002Fflowfuse.com\u002Fhandbook\u002Fengineering\u002Fsecurity\u002F",[18],"nofollow","Bug Bounty programme","\nto encourage responsible disclosure of potential issues.",[10,22,23],{},"With all disclosures we evaluate their severity in terms of their direct impact,\nthe nature of the issue and overall risk.",[10,25,26],{},"We have received a number of reports recently that we have been evaluating. Whilst\nnone of the recent disclosures has been deemed high severity, we have applied a number\nof updates to the platform.",[10,28,29],{},"These include:",[31,32,33,37,40],"ul",{},[34,35,36],"li",{},"Tougher rate limiting on routes that manage user information including email addresses",[34,38,39],{},"Better handling of the password-reset flow to prevent stale links being reused",[34,41,42],{},"Avoiding disclosure of a user's email address to other members of a team",[10,44,45],{},"This last item is one I wanted to say a bit more about. As you would expect, a\nuser's email address is sensitive information that we do not disclose to unauthorised\nusers. However, we also consider a Team as having a higher level of trust between its\nmembers. On review, we have decided there is not a technical reason for this higher\nlevel of trust to include a member's email address, so we have removed it from\nthe relevant API responses.",[10,47,48],{},"We value the effort people put into making responsible disclosures to us and look\nto reward the work where it meets our criteria.",[10,50,51,52,55],{},"Find out more about our ",[14,53,19],{"href":16,"rel":54},[18],".",{"title":57,"searchDepth":58,"depth":58,"links":59},"",2,[],"Security Updates: We've strengthened user privacy and platform security with stricter rate limiting and improved password-reset flows.","md",{"date":63,"authors":64,"tags":66},"2024-01-17 13:00:00.0",[65],"nick-oleary",[67],"changelog",true,"\u002Fchangelog\u002F2024\u002F01\u002Fsecurity-updates",{"title":5,"description":60},"changelog\u002F2024\u002F01\u002Fsecurity-updates","9WAWQxpGphyK2Bo0_5_BwBp4jYEdN68Fg51vQPUPU14",1780132422449]