BestDefense values the efforts of security researchers and members of the security community who help us maintain the security of our systems and customer data.
This Vulnerability Disclosure Policy explains how to report potential security issues to us, what types of testing and activity are permitted under this policy, and what reporters can expect from BestDefense once a report is submitted.
If you believe you have discovered a security vulnerability in a BestDefense-owned system or service, we encourage you to report it to us promptly and responsibly.
Our Commitment
When acting in good faith and in accordance with this policy, BestDefense will:
- acknowledge receipt of your report,
- review and validate the submission,
- work to remediate confirmed issues in a manner consistent with risk and business impact,
- maintain communication with you during the review process as appropriate.
How to Report
Please send all vulnerability reports to:
Email: security@bestdefense.io
Please include as much of the following information as possible:
- affected domain, endpoint, application, or asset
- description of the issue
- step-by-step reproduction instructions
- proof of concept, if available
- potential impact
- screenshots, logs, request/response samples, or other supporting evidence
- your name or alias and preferred contact information
If you believe the report contains sensitive information, please state that clearly in your email subject line.
Scope
This policy applies to systems, applications, and services that are:
- owned by BestDefense, and
- publicly accessible, unless otherwise expressly excluded below.
Out of Scope
Unless BestDefense expressly authorizes otherwise in writing, the following are out of scope under this policy:
- social engineering of employees, contractors, customers, or partners
- phishing or pretexting attacks
- physical attacks against offices, infrastructure, devices, or personnel
- denial of service, distributed denial of service, or resource exhaustion testing
- spam, rate flooding, or automated high-volume scanning that may impact availability
- attacks against third-party services, vendors, or infrastructure not owned by BestDefense
- clickjacking findings on pages without sensitive functionality
- missing security headers without a demonstrated security impact
- reports based solely on outdated or missing software version banners without proof of exploitability
- automated scan results without clear reproduction steps or demonstrated impact
- testing that accesses, modifies, deletes, exfiltrates, or destroys data that does not belong to you
- any attempt to establish persistence, pivot, escalate privileges, or move laterally
- any activity that disrupts service availability, degrades performance, or harms users
Rules of Engagement
To protect our users, customers, and systems, you must:
- act in good faith
- avoid privacy violations, destruction of data, interruption of service, and degradation of user experience
- only perform testing necessary to confirm the presence of a vulnerability
- stop testing and notify us immediately once you discover sensitive data, unintended access, or material risk
- not exploit the issue beyond what is minimally necessary to demonstrate it
- not retain, copy, transfer, disclose, or use any data accessed during testing
- not attempt to access another user's account or data
- not use brute force, credential stuffing, password spraying, or similar techniques
- not chain findings in a way that increases impact beyond what is necessary to document the issue
- not publicly disclose the vulnerability until BestDefense has had a reasonable opportunity to investigate and remediate it
Safe Harbor
BestDefense supports responsible, good-faith security research conducted in accordance with this policy.
If you act in good faith and comply with this policy, BestDefense will not initiate legal action against you for your research activities solely because of your submission under this policy.
This safe harbor applies only to conduct that:
- is intended to identify a good-faith security issue,
- is limited to what is reasonably necessary for that purpose,
- avoids harm to BestDefense, its customers, and third parties, and
- otherwise complies with applicable law.
This policy does not authorize:
- testing outside the scope described above,
- access to data that does not belong to you,
- service disruption,
- social engineering,
- extortion,
- ransomware activity,
- or any unlawful conduct.
If you are uncertain whether your intended activity is consistent with this policy, do not proceed. Contact us first at security@bestdefense.io.
What to Expect
BestDefense will make reasonable efforts to:
- acknowledge receipt of your report within 3 business days
- provide an initial triage update within 7 business days
- request additional information if needed
- keep you informed of status changes as appropriate
Response and remediation timelines may vary depending on severity, complexity, operational risk, and dependency constraints.
Rewards / Bounties
BestDefense does not currently operate a public bug bounty program.
Any reward, recognition, or discretionary payment is made solely at BestDefense's discretion and is not guaranteed.
Submission of a report does not create any expectation of compensation.
Confidentiality and Disclosure
We ask that you keep details of any reported vulnerability confidential until:
- BestDefense confirms remediation, or
- BestDefense provides written permission for disclosure.
If coordinated public disclosure is requested, we will review it in good faith and work toward a reasonable timeline.
Privacy
Please do not include unnecessary personal data in your report. If personal data or sensitive information is encountered during testing, stop immediately and notify us.
Changes to This Policy
BestDefense may update this policy from time to time. The version published on this page is the current version.