Skip to content
Policy 1.2.0Reviewed 2026-07-15

Responsible disclosure

Security policy

Report suspected BoringSec product vulnerabilities privately. This policy tells you what is in scope, how to test without harming others, when to stop, and how we coordinate disclosure.

Report privately

Email security@boringsec.com with the subject Security Report: <short summary>.

  • A concise description and potential impact.
  • The affected URL, endpoint, feature, or file.
  • Minimal reproduction steps using data and assets you control.
  • Relevant request identifiers, timestamps, and redacted screenshots or logs.

Do not send secrets, credentials, personal data, full data exports, or destructive exploit payloads in the initial email. Redact the minimum evidence needed to explain the issue. BoringSec does not currently publish a PGP key or a general secure-upload endpoint. If additional sensitive evidence is necessary, wait for case-specific instructions before transferring it.

In scope

  • The production BoringSec web application and same-origin public APIs at https://www.boringsec.com.
  • BoringSec accounts, domains, reports, and test data that you own or are explicitly authorized to use.

Permitted testing

  • Use accounts, domains, repositories, and data that you control.
  • Use the minimum requests and data needed to demonstrate a reproducible issue.
  • Keep request volume low and avoid persistence, destructive actions, and changes to other users’ data.
  • Report the issue promptly, keep it private during coordination, and cooperate with reasonable steps needed to prevent harm.

Out of scope and prohibited

  • Customer scan targets, customer reports, third-party systems, and provider infrastructure that you do not own or have explicit authorization to test.
  • Social engineering, phishing, physical security, employee or customer targeting, and attacks against support channels.
  • Denial of service, resource exhaustion, high-volume automation, spam, credential stuffing, and tests that degrade service for other users.
  • Accessing, modifying, deleting, downloading, or retaining another person’s data beyond the minimum unavoidable evidence needed to report accidental access.
  • Persistence, malware, backdoors, lateral movement, supply-chain compromise, or continued access-control bypass after you have enough evidence to report the issue.

Stop on access

If you encounter credentials, personal data, non-public customer data, another user’s report, or unexpected system access, stop immediately. Do not continue exploring, copy more data than the minimum evidence, retain the data longer than needed to report it, or share it with anyone other than BoringSec through the reporting channel.

Good-faith safe harbor

For research carried out in good faith and in accordance with this policy, BoringSec considers the activity authorized against the BoringSec systems listed as in scope and does not intend to initiate legal action based solely on that compliant research.

  • Stay within the listed scope and use only accounts, assets, repositories, and data that you own or are explicitly authorized to test.
  • Follow the prohibited-testing and stop-on-access rules, minimize requests and data, and stop if BoringSec asks you to stop.
  • Report privately and promptly, do not exploit the issue beyond the minimum proof, and do not use the issue for extortion or commercial pressure.
  • Comply with applicable law and do not infringe the rights of customers, service providers, or other third parties.

If you accidentally cross a boundary, stop immediately, tell us what happened, do not retain or use accessed data, and cooperate with reasonable steps to prevent harm. We will assess the conduct by its intent, proportionality, and your response rather than treating an accidental good-faith mistake as malicious by default.

This safe harbor states BoringSec’s position only. It is not legal advice or blanket immunity, cannot authorize testing of third-party systems, and cannot bind customers, service providers, regulators, law enforcement, or other third parties. It does not cover deliberate policy violations, threats, deception, privacy violations, destructive conduct, data use or retention, testing outside scope, or conduct continued after a stop request.

Response targets

Acknowledgement targetWithin 3 business days
Triage update targetWithin 7 business days
Remediation planningBased on validated severity, exploitability, and operational risk

These are operational targets, not guaranteed service levels. Complex or incomplete reports can take longer.

Coordinated disclosure

Please keep the report private while we investigate. Publish technical details only after we confirm remediation or we agree on a disclosure date in writing.

BoringSec does not currently operate a public bug-bounty program and does not promise payment. The good-faith safe harbor is limited to the BoringSec systems and conduct described above. It is not blanket legal immunity, does not waive third-party rights, and does not authorize testing outside scope.

Public references

Product and account questions go to support@boringsec.com.