Vulnerability Disclosure Policy
This policy intends to explain our preferences for how security researchers should submit vulnerabilities and provide them with clear standards for completing vulnerability discovery activities.
This policy outlines the systems and categories of research that fall within its scope and how to disclose vulnerabilities to us. Please get in touch with us if you discover any potential flaws in the Bluefin codebase.
In accordance with this policy, "research" refers to activities in which you:
- Inform us as soon as you find a genuine or potential security problem.
- Make every attempt to avoid privacy violations, loss of user experience, disruption to production systems, and destruction or modification of data.
- Use exploits only as much as necessary to verify a vulnerability is present. You shouldn't use an exploit to compromise or steal data, gain ongoing command-line access, or switch to another machine.
- Use the identified communication channels to report vulnerability information to us.
- Avoid submitting a lot of reports of poor quality.
- You must halt your test, let us know immediately, and keep it to yourself if you've found a vulnerability or come across sensitive data (such as personally identifiable information, financial information, or intellectual information or trade secrets of any party).
The following test methods are not authorized:
- DoS or DDoS tests on networks or other tests that restrict access to or harm systems or data.
- Physical testing, social engineering, or any other non-technical vulnerability testing, such as tailgating, workplace access, open doors, or phishing.
Any vulnerability not previously disclosed by our independent auditors or us in their reports.
If you believe you’ve found a security vulnerability in one of our contracts or platforms, email us at email@example.com. Please include the following details with your report:
- A description of the location and potential impact of the vulnerability.
- A detailed description of the steps required to reproduce the vulnerability.
- Be in English, if possible.
If you follow these guidelines when reporting an issue to us, we commit to:
- Not pursue or support any legal action related to your findings.
- Acknowledge that your report has been received within 3 business days.
- Maintain an open dialogue with you to understand and resolve the issue quickly.