Skip to content
BreachBack

Responsible Disclosure

REPORT TO: security@breachback.com

We're a security company. If you find a hole in something we run, we want to hear about it — directly, quickly, and without you needing a lawyer first. We'd rather learn about a vulnerability from a researcher than from an incident, which is, after all, our whole pitch to everyone else.

How to report

Email security@breachback.com with what you found, where you found it, and steps to reproduce it. Screenshots and proof-of-concept details help. We'll acknowledge your report within 3 business days, keep you posted while we work on it, and tell you when it's fixed.

The ground rules

We ask four things of researchers, and they're the same four things any reasonable person would ask.

  • Give us reasonable time to fix the issue before you disclose it publicly. We'll move fast and keep you informed; 90 days is a fair default, and we're open to talking if a fix needs longer.
  • Don't access, modify, or delete data that isn't yours. If you stumble into someone else's data while proving a vulnerability exists, stop there and tell us.
  • Don't disrupt service. No denial-of-service testing, spam, social engineering of our staff or clients, or physical attempts on anyone's premises.
  • Stay in scope: breachback.com and systems we publicly operate. Our clients' environments are not in scope under any circumstances.

Safe harbor

If you make a good-faith effort to follow this policy, we consider your research authorized. We will not initiate legal action against you, refer you for prosecution, or file abuse complaints over good-faith security research conducted within scope. If a third party comes after you for research that complied with this policy, we'll say so, on the record. We can't authorize testing against systems we don't own — which is part of why client environments are out of scope.

About rewards

We don't run a paid bug bounty yet. We're a young company and we'd rather be straight with you than dangle a vague "rewards at our discretion" line. What we can offer today: a fast, human response, credit and public acknowledgment for your find if you want it, and our genuine thanks. When a bounty program exists, it will be posted here.

One more thing

If you're reporting something urgent — active exploitation, exposed data — say so in the subject line and we'll treat it that way. Thank you for looking out for us and for the businesses we protect.