This paper presents a new score-based black-box attack method. It uses normalizing flow to estimate the adversarial data distribution. The adversarial examples are searched over the latent space of the flow-based model, making them hard to detect. Experimental results on CIFAR-10 and SVHN demonstrate its effectiveness over two baselines. Overall, it makes valuable contributions. The rebuttal addressed most of the concerns, with additional results. In the final version, the authors need to include said results and potentially make them even more extensive (e.g. running on SVHN, to get a complete version of the original Table 1).