Introduction and Purpose
BreachSeek is committed to protecting the security and privacy of our users. We value the contributions of security researchers and the wider community in helping us maintain a secure platform. This Responsible Disclosure Policy outlines how to safely report any vulnerabilities in the BreachSeek app or related systems, and it explains what you can expect from us in return. This policy is intended to provide clear guidelines for ethical hacking and vulnerability disclosure.
Scope: This policy applies to the following BreachSeek-owned assets (collectively, "the Services"):
- The main BreachSeek website: `https://www.breachseek.com`
- The BreachSeek application platform: `https://app.breachseek.com`
- The BreachSeek API services hosted under the `api.breachseek.com` domain.
Please note: BreachSeek is not offering monetary rewards or bug bounty payments at this time. Your efforts are appreciated and will help us improve security for everyone.
How to Report a Vulnerability
If you discover a security vulnerability in BreachSeek, please report it to us as soon as possible in a discreet manner. To do so, email our security team at security@breachseek.com. Use the subject line “Security Vulnerability Report” (or similar) to help us identify the issue quickly. In your report, include as much detail as you can (see the next section for guidance on what to include). We request that you do not share details of the vulnerability with anyone else until we have had a chance to investigate and address it.
What to Include in a Report
To help us understand and resolve the issue efficiently, please include the following information in your vulnerability report:
- Description of the Issue: A clear and concise description of the vulnerability. What is the nature of the security flaw? Which part of our app or system is affected?
- Steps to Reproduce: Step-by-step instructions on how to reproduce the vulnerability. Please be as detailed as possible. This may include URLs, parameters, test account info (if you were provided one for testing by us), or any special conditions required to trigger the issue.
- Potential Impact: Explain the security impact of the vulnerability. What could an attacker achieve by exploiting it? For example, could they access sensitive data, take over accounts, execute code, etc.?
- Environment Details: If relevant, mention the environment or version in which you found the issue (e.g., app version, OS, browser).
- Proof-of-Concept: If available, include any proof-of-concept code, screenshots, or videos that demonstrate the vulnerability in action. (Please do not include sensitive data in screenshots or attachments.)
- Suggested Fix (Optional): If you have suggestions for how to fix the issue, we welcome them. This is optional but can be helpful.
- Your Contact Information: (Optional) Your name, handle, or contact info so we can reach out with updates. You may report anonymously if you prefer, but providing a way to reach you will help us coordinate and credit you appropriately.
Providing comprehensive information upfront will speed up our investigation. We may reach out to you for clarification or additional details if necessary.
Our Commitments
When you report a vulnerability to us, BreachSeek makes the following commitments to you:
- Acknowledgement: We will acknowledge receipt of your vulnerability report within 3 business days. You will receive confirmation that we’ve received your report and are investigating.
- Communication: We will keep you informed of our progress. We may ask for additional information to help reproduce or understand the issue, and we will let you know once the vulnerability has been validated and fixed.
- Timely Fixes: We aim to investigate and remediate valid vulnerabilities as quickly as possible. Our goal is to fix critical issues within 30 days whenever feasible. If a fix will take longer, we will provide you with an update on the expected timeline or interim mitigations.
- No Retaliation: We pledge not to take any legal action against researchers who discover and report security issues to us in good faith and in accordance with this policy (see Legal Safe Harbor below).
- Credit (Recognition): If you wish, and after the vulnerability is resolved, we can publicly acknowledge your contribution. We will only publish your name or handle with your permission. (If you prefer to remain anonymous, we will honor that.)
- Privacy: We will not share your personal information or research details with third parties without your consent, except as necessary to resolve the security issue (for example, with a relevant vendor if the issue involves their product).
Our goal is to foster a collaborative relationship with the security community. We appreciate your time and expertise, and we are committed to addressing your report with the seriousness it deserves.
Rules of Engagement
When testing our systems and services or reporting vulnerabilities, we ask that you abide by the following responsible guidelines to ensure a safe, legal, and positive experience for everyone:
- Do No Harm: Perform research only in ways that do not negatively affect BreachSeek or its users. In particular, do not engage in any form of denial-of-service (DoS/DDoS) testing or any action that could degrade our services or disrupt access for other users.
- Avoid Privacy Violations: Do not access, copy, alter, or delete data that does not belong to you. If the vulnerability allows access to user data or sensitive information, limit your testing to the bare minimum required to demonstrate the issue. If you inadvertently encounter personally identifiable information (PII) or other sensitive data during your research, stop immediately and report the finding to us. Do not save, share, or exploit that data.
- Minimal Exploitation: Use exploits only to the extent necessary to confirm a vulnerability’s presence. Do not use any found vulnerability to pivot to other systems, establish persistent access, or exfiltrate data. In short, prove the security issue exists without causing additional impact.
- No Manipulation of Data: Refrain from modifying or destroying any data on our systems. Do not attempt to tamper with, corrupt, or permanently alter system data or configurations.
- No Social Engineering or Physical Attacks: This policy covers technical vulnerability testing only. Do not engage in social engineering (phishing, vishing, etc.) against our employees or systems, and do not perform physical attacks such as attempting to gain unauthorized access to offices, hardware, or infrastructure.
- Be within Scope: Conduct testing only on systems owned or operated by BreachSeek, as defined in the "Scope" section of this policy. Your testing must not target third-party services or applications that are not under BreachSeek’s control. If you’re unsure whether a system is in scope, please ask us first.
- Responsible Disclosure: Share vulnerability details only with us and do not publicly disclose or hint at the issue until we have had a chance to resolve it (following the Public Disclosure Policy below). This helps prevent malicious actors from exploiting the issue before it’s fixed.
- Quality of Reports: Make a good-faith effort to provide a clear, detailed report. Please avoid submitting high volumes of low-quality or spam reports. Each report should be about a new, previously unreported issue. (For example, multiple instances of the same bug can be combined into one report.)
By adhering to these rules of engagement, you ensure that your research remains constructive and appreciated. If you are ever in doubt about whether an action is permitted, please stop and contact us for guidance.
Legal Safe Harbor
We want to make it clear that if you act in good faith and in accordance with this Responsible Disclosure Policy, your activities are considered authorized. BreachSeek will not pursue or support any legal action against you for security research that aligns with the guidelines and scope of this policy. In fact, we will consider your actions as intended to improve our security, and researchers acting in good faith will not be prosecuted or penalized by BreachSeek. Furthermore, if a third party initiates legal action against you for activities conducted under this policy (for example, perhaps a vendor or partner), we will make it known that your actions were authorized and encouraged as per our policy. This is our Legal Safe Harbor guarantee to you.
Important: This safe harbor applies only to activities conducted in a manner consistent with this policy. If your security research involves wrongdoing (such as extortion, data theft for personal gain, or any malicious intent) or falls outside the bounds of this policy, then this commitment of non-action is nullified. As long as you follow the rules and act ethically, we consider your work to be helping us, and we welcome it.
Public Disclosure Policy
To protect our users, we request that researchers do not publicly disclose any vulnerabilities or share vulnerability details with others until we have had an opportunity to resolve the issue. Coordinated disclosure allows us to fix the problem before it is widely known, minimizing the risk that malicious actors will exploit it. Here is how we handle public disclosure:
- Coordination: We will keep you informed when a fix is in progress and when it has been deployed. Once the vulnerability is resolved, we will let you know and, if you agree, we can coordinate on the timing of any public announcement or disclosure. We are happy to have you publish your findings after the fix, and we will gladly credit your discovery if you wish.
- No Early Publication: Please refrain from publishing or discussing the vulnerability in any public forum before it is fixed, unless you have our explicit agreement to do so. In general, we ask for the chance to remediate the issue first. Premature public disclosure can put users at risk, so we take this seriously.
- Exceptions and Mutual Agreement: We understand there may be cases where a fix is delayed or other circumstances arise. If you feel that we are not acting on the issue in a timely manner or you have a strong need to publish earlier, please discuss it with us. We are open to setting a mutually agreeable disclosure timeline. Our aim is to be transparent and fair, balancing security risk and public awareness.
- Our Disclosure: BreachSeek may choose to publicly announce the vulnerability (for example, in release notes or a security advisory) once it’s fixed. We will not reveal your identity or the details you reported without your consent. If appropriate, and if you want recognition, we will include a thank-you to you for the discovery.
In summary, we prefer a coordinated disclosure approach that gives us the opportunity to fix issues while ensuring you get credit for your work. Responsible timing of disclosure is critical to protecting users, and we appreciate your understanding and cooperation on this front.
Final Notes and Contact
Thank you for helping to keep BreachSeek secure. We deeply appreciate the time and effort of the security community in finding and reporting vulnerabilities to us. Even without a financial bounty, your contributions are invaluable to the safety of our platform and our users. We are committed to continually improving our security, and your responsible disclosure plays a vital role in that process.
If you have any questions about this policy or need clarification on any point, please contact us at security@breachseek.com. We welcome feedback on our Responsible Disclosure Policy itself, as we aim to make it as clear and researcher-friendly as possible.
By working together with you, the researchers, we can ensure that BreachSeek remains a secure and trustworthy service. Your help makes a difference, and we thank you for it.
— The BreachSeek Security Team