Security

Responsible Disclosure

Report potential vulnerabilities clearly and safely so the Simplify team can investigate and respond.

Last updated: June 9, 2026

How to report

If you believe you have found a vulnerability in Simplify, Flash Launch, SimpleTrip, or a related public surface, email legal@simplify-net.com with a clear description, reproduction steps, affected URLs or assets, expected impact, and any relevant screenshots or logs.

Authorized testing

Testing is authorized only when it is conducted in good faith, uses accounts, applications, and systems you control, avoids privacy invasion or service disruption, and follows this policy, the Security page, the Terms of Service, and applicable law.

This policy does not authorize access to another person's data, destructive testing, denial-of-service testing, social engineering, phishing, spam, physical attacks, malware, credential attacks, automated high-volume scanning, persistence, exfiltration, or testing against third-party systems that Simplify does not control.

What to include

  • A concise summary of the issue.
  • Steps to reproduce using accounts or systems you control.
  • The potential security impact.
  • Your contact information for follow-up.

Out of scope

Reports may be treated as out of scope if they concern clickjacking on pages with no sensitive action, missing security headers without demonstrated impact, rate limit observations without practical abuse impact, spam or social engineering risk without a platform vulnerability, issues in outdated browsers, or vulnerabilities in third-party services outside Simplify's control.

Response process

Simplify will review credible reports and respond as appropriate for the affected surface, severity, exploitability, legal obligations, and operational impact. We may request more information, attempt to reproduce the issue, coordinate remediation, or determine that a report is not actionable.

Public disclosure

Please do not publicly disclose a potential vulnerability, exploit details, customer data, screenshots, logs, or proof-of-concept code before Simplify has had a reasonable opportunity to investigate and remediate. Coordinated disclosure should be agreed with Simplify in writing.

No bounty or legal promise

This page does not create a bug bounty program, payment commitment, employment relationship, vendor relationship, waiver, immunity, legal safe harbor beyond applicable law, or service-level commitment. Simplify reserves all rights for activity that violates this policy, the Terms of Service, third-party rights, or applicable law.