Bomdiu

Security Vulnerability Disclosure Policy

1. Introduction

At Bomdiu, we take security seriously and value the contributions of security researchers and the broader security community in helping us maintain the safety and integrity of our systems. This Vulnerability Disclosure Policy outlines the guidelines for reporting security vulnerabilities to us.

2. Scope

This policy applies to any security vulnerabilities found in Bomdiu's publicly accessible services, including our website, APIs, and any other systems owned and operated by Bomdiu.

Out of Scope

The following are considered out of scope for this policy:

  • Vulnerabilities in third-party services or applications that are not under Bomdiu's direct control.
  • Social engineering attacks, including phishing of our employees or contractors.
  • Physical security of our offices or data centers.
  • Reports from automated scanners without a proof of concept demonstrating a specific vulnerability.
  • Volumetric denial-of-service attacks.

3. Responsible Disclosure Guidelines

We request that security researchers adhere to the following guidelines when reporting vulnerabilities:

  • Act in good faith and avoid violating any laws or breaching any data.
  • Do not perform attacks that could disrupt our services, including denial of service (DoS), spam, or social engineering.
  • Do not access, modify, or delete data that does not belong to you.
  • Provide a clear and detailed report with steps to reproduce the vulnerability, including any relevant proof of concept.
  • Report vulnerabilities promptly and allow us reasonable time to investigate and remediate before public disclosure.

4. Reporting Process

If you have discovered a security vulnerability, please report it to us via [email protected] with the following details:

  • A description of the vulnerability.
  • Steps to reproduce the issue.
  • Potential impact of the vulnerability.
  • Any supporting materials (e.g., screenshots, logs, proof-of-concept code).

For sensitive information, we encourage you to encrypt your report. Our PGP key can be found here: https://keys.openpgp.org/vks/v1/by-fingerprint/17579243F23AAFD69EDEB5258BE31E6A811D063D

We aim to acknowledge receipt of your report within 2 business days and provide an initial assessment within 5 business days. We will keep you informed of our progress as we investigate and remediate the issue.

5. Our Commitment

Once you have submitted a report, we are committed to the following:

  • We will promptly acknowledge your report.
  • We will work with you to understand and validate your findings.
  • We will take reasonable steps to remediate the vulnerability in a timely manner.
  • We will maintain an open line of communication with you throughout the process.

6. Recognition

Bomdiu does not offer financial rewards or compensation for security vulnerability disclosures. However, we deeply value the contributions of security researchers. We may offer public acknowledgement for significant and responsibly disclosed vulnerabilities, with your permission.

7. Legal Considerations

By submitting a report, you agree to avoid any unlawful activities and follow ethical disclosure practices. Bomdiu will not take legal action against researchers who act in good faith and comply with this policy.

8. Conclusion

We appreciate the efforts of security researchers in making Bomdiu's services more secure. If you have any questions about this policy, please contact us at [email protected].

Thank you for helping us maintain the security of our systems.