Holding Ourselves to the Highest Standard to Protect Community Data

Earlier this month, we announced that Flock has retained Bishop Fox to conduct continuous, adversarial security testing across every product in our ecosystem: hardware, software, and cloud infrastructure. The announcement explained what we’re doing. This post explains why.

The short answer: because the communities and law enforcement agencies that rely on Flock deserve to know that the platform protecting them has been stress-tested by people whose sole job is to break it and who carry the credentials, insurance, and legal accountability to do so responsibly.

The longer answer involves how we think about security testing as a discipline, why we set the bar where we do, and what it takes to earn the right to test a platform that handles criminal justice data.

Testing Systems as a Whole

In cybersecurity, there is an enormous gap between finding a single, isolated vulnerability and conducting a rigorous, comprehensive security assessment. This assessment goes far beyond looking for run-of-the-mill vulnerabilities and dives into the business logic of how our technology works, as a comprehensive platform, at its core. The difference matters, especially when the platform being tested supports active criminal investigations.

A useful analogy: anyone can point out a crack in a bridge. But determining whether that crack is cosmetic or structural, and doing so without causing the bridge to collapse during rush hour, requires licensed engineers with professional liability coverage, standardized inspection methodologies, and regulatory authorization.

Security testing works the same way. The question is not whether someone can find a flaw. It’s whether they can systematically evaluate an entire platform without compromising the data, the operations, or the legal standing of the agencies that depend on it. This distinction shapes every decision we make about who touches our systems.

How We Make Sure Testing Strengthens Security

Flock’s customers include more than 5,000 law enforcement agencies. Those agencies use our platform to manage license plate data, camera footage, and investigative intelligence tied to active cases. That data is subject to CJIS Security Policy, chain-of-custody requirements, and the evidentiary standards of the criminal justice system.

Given those stakes, we do not grant system-level access for security testing to any party, regardless of their intentions, unless they meet every one of the following criteria:

• Recognized professional credentials. The testing firm must employ researchers with verifiable, industry-recognized qualifications, such as OSCP, PNTP, GIAC GPEN, OSWE or equivalent, and a documented track record of enterprise-scale security engagements. A portfolio of Fortune 100 clients, published research, and peer-reviewed methodologies is the baseline, not the ceiling.
• Standardized, auditable methodology. Testing must follow established frameworks such as OWASP, PTES, or NIST SP 800-115 as well as complex hardware attack techniques such as chip-off extraction. Ad hoc or outcome-based approaches, in which a tester looks for a single exploitable flaw rather than systematically evaluating every control, do not meet the standard required for a public safety platform.
• Professional liability insurance. Any firm testing a live system that supports active investigations must carry substantial professional indemnification. If a penetration test inadvertently disrupts a network, corrupts evidence, or exposes sensitive data, the testing firm must have the financial and legal capacity to cover the consequences. An individual or uninsured party cannot provide this protection.
• SOC 2 Type II compliance from the tester. We require our auditors to have been audited themselves. The firm handling our data must demonstrate, through independent certification, that its own data-handling controls meet enterprise standards. This is non-negotiable.
• Master Services Agreement and NDA. Every engagement is governed by legal contracts that define scope, restrict data handling, establish liability, and ensure that findings are responsibly disclosed. Testing outside of these agreements, regardless of the tester’s stated intentions, creates uncontrolled legal and operational risk for the agencies we serve.
• Background-checked, vetted personnel. Every individual who accesses Flock systems in a testing capacity must pass livescan fingerprint CJIS background checks appropriate for handling law enforcement data, and must have documented chain-of-custody procedures for any evidence encountered during testing.
  ‍

These are not aspirational guidelines. They are contractual requirements embedded in our agreements with the agencies we serve. Waiving them for any reason, including convenience, public pressure, or good intentions, would be a breach of trust with our customers.

Why We Chose Bishop Fox

When we evaluated firms for this engagement, we applied the same criteria we’d apply to anyone who asked to test our platform. Bishop Fox didn’t just meet the bar; they set it.

Bishop Fox is the largest dedicated offensive security firm in the United States. Over two decades, they have conducted adversarial testing for more than 25% of the Fortune 100, including half of the Fortune 10 and eight of the top 10 global technology companies. Their researchers author open-source tools, including Sliver and CloudFox, that are used across the security industry. Their methodologies are referenced in academic research and professional training programs worldwide.

Critically, they bring the governance infrastructure that a public safety engagement demands: full indemnification, SOC 2-audited operations, CJIS-compatible personnel vetting, and a legal framework that protects every agency whose data our platform touches.

Bishop Fox operates as an independent adversary. Their job is to test our systems and report their findings. They have no incentive to produce favorable results, and their professional reputation depends on the rigor of their work, not our satisfaction with the outcome.

Continuous Adversarial Testing, Not One-Off Audits

A single point-in-time test cannot declare any modern platform “secure.” Software evolves continuously: new features deploy, APIs update, and infrastructure scales. A clean report today becomes outdated the moment the next release ships.

That’s why Flock maintains an internal offensive security team to continue this work after we conduct these annual independent tests of our systems. Flock’s offensive security team holds the same standards to ensure adversarial simulations never stop.

Finding Flaws is the Goal

We want to be direct: retaining an elite offensive security firm to attack your own platform means they will find vulnerabilities. That is the point.

If you see security patches and updates from Flock in the months ahead, that is the process working exactly as designed. In professional adversarial testing, silence is concerning, while findings are evidence of rigor. Every vulnerability Bishop Fox identifies is a vulnerability eliminated before it can be exploited by an actual threat.

When significant findings occur, we follow responsible disclosure protocols and communicate transparently with affected customers. We do not wait for third parties to surface issues. We hunt for them ourselves, fix them, and report them.

For Independent Researchers: Our Vulnerability Disclosure Program

Flock maintains a formal Vulnerability Disclosure Program (VDP), consistent with the practices of major technology platforms like Google, Apple, and Microsoft.

If you are a security researcher who has identified a potential issue, we encourage you to submit it through our official VDP. This provides a structured, legal framework to report findings without requiring privileged system access or a formal contractual engagement.

We review every submission and are committed to working constructively with the research community. For the legal and governance reasons outlined above, we cannot grant system-level testing access to individuals or organizations that do not meet the professional, insurance, and compliance requirements our customers demand. This is not a judgment on anyone’s intentions. It is a structural obligation to the agencies and communities we serve.

We’re Setting the Standard

Public safety technology should be held to a higher cybersecurity standard than consumer software. The data is more sensitive. The consequences of a breach are more severe. And the communities affected have a right to know that every reasonable measure has been taken to protect them.

We don’t wait for vulnerabilities to be discovered by accident or surfaced in headlines. We retain the most credentialed adversarial testers available, subject ourselves to continuous attack, and hold the entire process to the strictest governance controls in the industry.

That is the commitment our customers made when they chose Flock. And it is the standard we intend to set for the entire public safety technology industry.

To learn more about our security practices, certifications, and our Vulnerability Disclosure Program, visit the Flock Trust Center.