Legal

Responsible Disclosure

This policy explains how security researchers can report vulnerabilities they find in Bug Circuit's own website and application. It sets out our scope, the rules for good-faith testing, our safe-harbour commitment, and what you can expect from us after you report.

Last updated: 6 July 2026

1.Our Commitment to Security

Bug Circuit is a cybersecurity company, and we hold our own systems to the same standard we apply on behalf of our customers. We welcome reports from security researchers who identify vulnerabilities in Bug Circuit's website and application, and we are committed to working with the research community in a fair, transparent, and timely way.

This policy tells you what you may test, how to test responsibly, how to report what you find, and what protections and response you can expect in return. By researching and reporting under this policy, you agree to the rules set out below.

2.Scope

This policy covers vulnerabilities in systems that Bug Circuit owns and operates, specifically:

  • The bugcircuit.com website and its subdomains that we operate.
  • The Bug Circuit web application, including its authentication (passwordless one-time-code login for customers and WebAuthn/passkey login for staff), checkout, scan-request, and live-chat features.
  • Bug Circuit's public-facing application programming interfaces (APIs) that support the above.
This policy is only about vulnerabilities in Bug Circuit itself. It does not authorize any testing of our customers' websites, our customers' infrastructure, or any domain that is not owned and operated by Bug Circuit. Testing performed on customer domains is governed entirely by each customer's separate Authorization to Test and is outside the scope of this policy.

3.Out of Scope

The following are outside the scope of this policy. Reports limited to these items are generally not eligible and may be closed without detailed follow-up:

  • Third-party services and infrastructure we rely on but do not control, including our cloud host, third-party payment processor (e.g. PayPal), transactional email provider, and the server-side AI assistant provider (Google Gemini). Please report issues in those services to the relevant provider.
  • Any customer domain, customer application, or customer data — these are never in scope under this policy.
  • Findings from automated scanners without a demonstrated, exploitable impact.
  • Denial-of-service (DoS/DDoS), volumetric, resource-exhaustion, or brute-force attacks.
  • Social engineering, phishing, or physical attacks against Bug Circuit staff, users, or facilities.
  • Missing security headers, cookie flags, TLS configuration nuances, or best-practice recommendations with no concrete, demonstrable security impact.
  • Reports of software version disclosure or theoretical vulnerabilities without a working proof of concept.
  • Self-inflicted issues that require an already-compromised device, a rooted/jailbroken device, or highly unlikely user interaction.

4.Rules of Engagement

To keep your research good-faith and to qualify for the safe-harbour protection in Section 5, you must follow these rules:

  • Test only against your own account and your own test data. Do not access, modify, or delete data belonging to any other user or customer.
  • Do not exfiltrate, download, or retain any data that is not your own. If you inadvertently access another party's data, stop immediately, do not save it, and tell us in your report.
  • Do not run denial-of-service tests, high-volume automated scanning, or anything that degrades or interrupts service for others.
  • Do not use social engineering, phishing, or physical intrusion against Bug Circuit, its staff, or its users.
  • Stop as soon as you have confirmed a vulnerability. Prove the issue exists — do not exploit it further, pivot to other systems, or maintain persistent access.
  • Do not publicly disclose the vulnerability, or share it with anyone else, until we have confirmed it is resolved and we have agreed on timing with you.
  • Comply with all applicable laws. Nothing in this policy authorizes activity that is illegal in your jurisdiction or ours.

5.Safe Harbour

We will not pursue or support legal action against you for security research and vulnerability reporting conducted in good faith and in accordance with this policy. Specifically, we consider such activity to be authorized, and we will not treat it as a violation of our acceptable-use terms.

If your research follows this policy, we will make good-faith efforts to recognize your authorization to test as described here and to work with you rather than against you. Safe harbour applies only to Bug Circuit. It does not bind third parties, and it does not extend to any activity against customer domains or other systems you are not explicitly authorized to test.

If you are unsure whether a specific action is permitted, or you believe you may have accidentally gone outside this policy, contact us at [email protected] before proceeding. We would much rather answer a question early than deal with a problem later.

6.How to Report a Vulnerability

Send your report to [email protected]. A clear, detailed report helps us validate and fix the issue quickly. Please include:

  • A description of the vulnerability and the affected component or URL.
  • Clear, step-by-step instructions to reproduce it, including any accounts, requests, or payloads used.
  • A proof of concept (PoC) — screenshots, request/response captures, or a short script — where possible.
  • An assessment of the potential impact and any suggested remediation, if you have one.
  • Your name or handle for recognition, and how you would like us to contact you.

Please submit one issue per report, and keep any related sensitive details out of third-party services. We accept reports in English. We also publish a security.txt file (see Section 9) with our current contact details.

7.Our Response and Timeline

When you report in line with this policy, you can expect the following from us:

  • Acknowledgement: we aim to confirm receipt of your report within 3 business days.
  • Triage: we aim to validate the report and assess severity within 10 business days, and we will let you know the outcome.
  • Updates: we will keep you reasonably informed of our progress toward a fix.
  • Resolution: we prioritize remediation by severity and will notify you once the issue is resolved.

These timelines are targets, not contractual guarantees, and may vary with the complexity and severity of the issue. We ask that you allow us a reasonable period to remediate before any public disclosure, and that you coordinate the timing of any disclosure with us.

8.Recognition (No Bug Bounty)

Bug Circuit does not currently operate a paid bug-bounty program, and this policy does not promise or imply any monetary reward, payment, or other compensation for reports.

We do value the work of researchers who help us improve. With your permission, we are happy to acknowledge you publicly — for example, by name or handle in a security acknowledgements list — for valid, previously unreported issues that you disclose responsibly under this policy. Let us know in your report whether, and how, you would like to be credited.

9.security.txt

In line with the RFC 9116 standard, we publish a security.txt file describing how to reach our security team. You can find it at https://bugcircuit.com/.well-known/security.txt. If anything in that file conflicts with this policy, this policy prevails, and you should confirm current contact details with us at [email protected].

10.Changes to This Policy

We may update this Responsible Disclosure Policy from time to time to reflect changes in our systems, practices, or legal requirements. The version in force is the one published at bugcircuit.com, and the effective date shown with this document indicates when it was last updated. Research and reports are governed by the version of this policy in effect at the time they are made.

Questions about this policy? Email [email protected] or see our other legal documents.