Vulnerability Disclosure Policy
middleBrick welcomes reports from security researchers who identify vulnerabilities in our systems. We commit to working with the security community to verify, reproduce, and respond to legitimate reports.
Scope
| In Scope | Out of Scope |
|---|---|
|
|
How to Report
Email [email protected] with:
- Description of the vulnerability
- Steps to reproduce
- Impact assessment
- Any proof-of-concept code or screenshots
We will acknowledge receipt within 48 hours and provide an initial assessment within 5 business days.
Safe Harbor
We consider security research conducted in accordance with this policy to be:
- Authorized under the Computer Fraud and Abuse Act (CFAA)
- Exempt from DMCA restrictions on circumvention
- Lawful and not subject to legal action by middleBrick
This safe harbor applies provided you:
- Act in good faith
- Avoid accessing or modifying data belonging to other users
- Do not degrade the service or disrupt other users
- Report findings promptly and do not publicly disclose before we have had reasonable time to remediate
What We Offer
- Public credit (with your permission) on our acknowledgments page
- Direct communication about the fix timeline
- No legal threats for good-faith research within scope
We do not currently operate a paid bug bounty program. This may change as the business grows.
Response Timeline
| Severity | Target Resolution |
|---|---|
| Critical | 24 hours |
| High | 72 hours |
| Medium | 7 days |
| Low / Informational | 30 days |
Exclusions
The following do not qualify under this policy:
- Automated scanner output without demonstrated impact
- Missing security headers on non-sensitive pages
- Rate limiting issues (unless demonstrating account takeover)
- SPF/DKIM/DMARC configuration on non-transactional domains
- Clickjacking on pages without sensitive actions