Responsible Vulnerability Disclosure

Our Commitment

BusyBee welcomes and appreciates the work of security researchers who help keep our platform safe. We are committed to working collaboratively with the security community to identify and address vulnerabilities responsibly. We will not pursue legal action against researchers who act in good faith and in accordance with this policy.

Scope

This disclosure policy applies to security vulnerabilities found in:

• The BusyBee web application and its associated APIs,
• Authentication and authorization systems (including our MFA and SAML SSO stacks), and
• Data storage and transmission mechanisms.

What We Ask of Researchers

In exchange for our commitment to you, we ask that you:

• Avoid testing that degrades service availability or impacts customers,
• Do not publicly disclose found vulnerabilities prior to coordinated disclosure, and
• Act in good faith and in accordance with applicable laws.

What You Can Expect from Us

When you report a legitimate vulnerability to us, we will:

• Acknowledge receipt of your vulnerability report in a reasonable timeframe,
• Investigate and validate reported issues, and
• Coordinate fixes and mitigations based on severity and impact, and
• Provide attribution for your discovery upon request (unless you prefer to remain anonymous).

Out of Scope

The following types of testing are out of scope and should not be performed:

• Denial of service (DoS) or distributed denial of service (DDoS) attacks,
• Physical security testing,
• Social engineering of our team members,
• Spam or phishing campaigns, and
• Testing of third-party services or infrastructure we do not control.

Coordinated Disclosure Timeline

We ask that you allow us a reasonable period of time to investigate and remediate a reported vulnerability before any public disclosure. We will work collaboratively with you to agree on an appropriate timeline based on the severity and complexity of the issue, typically not exceeding 90 days from the date of initial report.