Home
Bondi

Security Vulnerability Disclosure Policy

Working together with the security community to protect our users

Last Updated: November 2025

1. Introduction

1.1 Our Commitment to Security

At Bondi, security is fundamental to our mission of providing a reliable and trustworthy platform for businesses worldwide. We recognize that the security community plays a vital role in helping us identify and address potential vulnerabilities.

We welcome and appreciate responsible security research conducted by ethical security researchers, penetration testers, and cybersecurity professionals.

1.2 Purpose of This Policy

This Security Vulnerability Disclosure Policy (also known as a Responsible Disclosure Policy) establishes guidelines for:

  • Security researchers to report vulnerabilities responsibly
  • Our commitment to respond promptly and transparently
  • Legal protections for researchers acting in good faith
  • Recognition and appreciation for your contributions

1.3 Safe Harbor

We commit to not pursuing legal action against researchers who discover and report security vulnerabilities in accordance with this policy. Activities conducted consistent with this policy will be considered authorized conduct under the Computer Fraud and Abuse Act (CFAA), Digital Millennium Copyright Act (DMCA), and other applicable laws.

2. Program Scope

2.1 In-Scope Targets

Security research is authorized for the following assets:

Primary Targets:

  • heybondi.com and all subdomains (*.heybondi.com)
  • Production web application (app.heybondi.com, platform.heybondi.com, etc.)
  • Public-facing APIs (api.heybondi.com)
  • Authentication and authorization systems
  • Data processing and storage mechanisms

Infrastructure:

  • Web servers and application infrastructure
  • Content delivery systems
  • Email systems directly managed by Bondi

2.2 Out-of-Scope Targets

The following are explicitly excluded from this program:

Third-Party Services:

  • AWS infrastructure (managed by Amazon)
  • Stripe payment processing (managed by Stripe)
  • Google Analytics (managed by Google)
  • Mixpanel (managed by Mixpanel)
  • Mailgun email service (managed by Mailgun)
  • Any other third-party service or integration

Prohibited Testing:

  • Physical security testing of offices or data centers
  • Social engineering attacks (phishing, vishing, etc.)
  • Denial of Service (DoS/DDoS) attacks
  • Automated scanning without prior written permission
  • Testing of user accounts that don’t belong to you
  • Network attacks that could impact availability

Note: If you discover a vulnerability in a third-party service we use, please report it directly to that service provider and inform us at security@heybondi.com so we can coordinate.

2.3 Uncertainty About Scope

If you’re unsure whether a target or testing method is in scope:

  • Contact us first at security@heybondi.com
  • Provide details about what you want to test
  • Wait for explicit authorization before proceeding
  • Better to ask than accidentally violate the policy

3. Vulnerability Categories & Severity

3.1 Severity Classification

We use the Common Vulnerability Scoring System (CVSS) v3.1 to classify vulnerability severity:

Critical (CVSS 9.0-10.0)

  • Remote code execution (RCE)
  • Authentication bypass allowing full system access
  • SQL injection with data exfiltration capability
  • Complete account takeover of any user
  • Vertical privilege escalation to administrator
  • Bypass of critical security controls

High (CVSS 7.0-8.9)

  • Stored Cross-Site Scripting (XSS) in critical areas
  • Cross-Site Request Forgery (CSRF) on sensitive operations
  • Server-Side Request Forgery (SSRF) with internal access
  • Insecure Direct Object Reference (IDOR) exposing sensitive data
  • Horizontal privilege escalation between user accounts
  • OAuth/SSO authentication vulnerabilities
  • Significant information disclosure (API keys, tokens, credentials)

Medium (CVSS 4.0-6.9)

  • Reflected XSS (non-self)
  • CSRF on non-sensitive operations
  • Information disclosure (non-sensitive data)
  • Missing security headers (CSP, HSTS, etc.)
  • Rate limiting issues
  • Session management weaknesses
  • Email verification bypass
  • Subdomain takeover
  • Open redirects to external sites

Low (CVSS 0.1-3.9)

  • Self-XSS (requires user interaction)
  • Clickjacking on non-sensitive pages
  • Missing best practices (non-exploitable)
  • Informational findings
  • CAPTCHA bypass (low impact)
  • Verbose error messages
  • Missing security headers (low impact)

3.2 Out-of-Scope Vulnerabilities

The following findings are typically not eligible for recognition:

  • Issues in outdated browsers or platforms
  • Theoretical vulnerabilities without proof of concept
  • Social engineering attacks
  • Recently disclosed zero-day vulnerabilities (less than 30 days)
  • Vulnerabilities requiring physical access
  • DoS/DDoS vulnerabilities
  • Spam or email delivery issues
  • Reports generated by automated tools without verification
  • Issues already known to us or publicly disclosed

4. How to Report a Vulnerability

4.1 Reporting Methods

Primary Method - Email:

  • Send reports to: security@heybondi.com
  • Subject line: “Security Vulnerability Report - [Brief Description]“

4.2 Required Information

Please include the following in your report:

Essential Details:

  • Vulnerability Description: Clear explanation of the issue
  • Affected Component: URL, API endpoint, or system component
  • Vulnerability Type: (e.g., XSS, SQL Injection, IDOR, etc.)
  • Severity Assessment: Your estimate (Critical/High/Medium/Low)
  • Steps to Reproduce: Detailed, numbered steps to replicate the issue
  • Proof of Concept: Screenshots, videos, or code demonstrating the vulnerability
  • Impact Analysis: Potential consequences if exploited
  • Affected User Data: What data could be compromised (if any)

Optional but Helpful:

  • Suggested remediation or fix
  • References to similar vulnerabilities (CVEs, articles)
  • Tools or scripts used to discover the issue
  • Your preferred contact method for follow-up

Personal Information:

  • Your name or handle (for recognition)
  • Email address for communication
  • Country/region (for time zone coordination)
  • Permission to publicly acknowledge your contribution

4.3 Report Template

Vulnerability Report for Bondi

Reported by: [Your Name/Handle]
Date: [YYYY-MM-DD]

## Summary
[Brief one-line description]

## Severity
[Critical/High/Medium/Low]

## Affected Component
URL/Endpoint: [Specific URL or API endpoint]
Parameter/Field: [If applicable]

## Vulnerability Type
[XSS, SQL Injection, IDOR, Authentication Bypass, etc.]

## Steps to Reproduce
1. [First step]
2. [Second step]
3. [etc.]

## Proof of Concept
[Screenshots, videos, or code]

## Impact
[What an attacker could do with this vulnerability]

## Suggested Fix
[Optional: Your recommendation]

## Additional Notes
[Any other relevant information]

5. Response & Resolution Timeline

5.1 Our Service Level Agreement (SLA)

We commit to the following response times:

Initial Response:

  • Acknowledgment of receipt: 48-72 hours
  • Confirmation that we received your report
  • Assigned tracking ID for reference

Triage & Assessment:

  • Initial triage: 5 business days
  • Severity classification
  • Validation of vulnerability
  • Impact assessment
  • Fix priority assignment

Progress Updates:

  • Regular updates: Every 7 days
  • Status of investigation and remediation
  • Estimated resolution timeline
  • Any questions or clarifications needed

5.2 Resolution Timeline by Severity

Critical Vulnerabilities (CVSS 9.0-10.0):

  • Target fix: 7 calendar days
  • Emergency patch deployment if needed
  • Immediate notification to affected users (if applicable)

High Vulnerabilities (CVSS 7.0-8.9):

  • Target fix: 14 calendar days
  • Scheduled patch deployment
  • Communication to affected parties

Medium Vulnerabilities (CVSS 4.0-6.9):

  • Target fix: 30 calendar days
  • Included in regular release cycle
  • May be bundled with other fixes

Low Vulnerabilities (CVSS 0.1-3.9):

  • Target fix: 60 calendar days or next major release
  • Prioritized with other improvements
  • May be addressed in routine updates

5.3 Exceptions & Extensions

  • Complex vulnerabilities may require additional time
  • We will communicate any delays and revised timelines
  • Critical vulnerabilities take absolute priority
  • Dependencies on third-party vendors may affect timelines

6. Disclosure Coordination

6.1 Coordinated Disclosure Process

We follow a coordinated disclosure approach:

Standard Disclosure Timeline:

  • 90-day window from initial report
  • Allows sufficient time for investigation, fix, and deployment
  • Public disclosure coordinated between researcher and Bondi

Public Disclosure:

  • After vulnerability is fixed and patch is deployed
  • Mutual agreement on disclosure timing and content
  • Credit given to researcher (with permission)
  • Security advisory published if warranted

6.2 Extension Requests

We May Request Extension If:

  • Vulnerability is particularly complex
  • Fix requires significant architectural changes
  • Coordination with third-party vendors needed
  • Testing and validation require more time

You May Request Early Disclosure If:

  • Vulnerability is being actively exploited
  • Details have been leaked publicly
  • Extended delays without progress

6.3 Public Disclosure Guidelines

After Coordinated Disclosure:

  • You may publish technical details, blog posts, or conference talks
  • We encourage responsible disclosure practices
  • Please coordinate timing with us
  • Include remediation information in any public disclosure

Before Disclosure:

  • Do not disclose vulnerability details publicly
  • Do not discuss with others outside the disclosure process
  • Do not share proof-of-concept code publicly

7. Rules of Engagement

7.1 Authorized Testing Guidelines

Do:

  • ✅ Create your own test accounts for research
  • ✅ Use your own data and systems for testing
  • ✅ Test on non-production systems when possible
  • ✅ Limit your testing to the minimum necessary to demonstrate the vulnerability
  • ✅ Stop testing and report immediately upon discovering a critical vulnerability
  • ✅ Delete any data obtained during testing
  • ✅ Respect user privacy at all times

Don’t:

  • ❌ Disrupt or degrade our services or systems
  • ❌ Access, modify, or delete data belonging to other users
  • ❌ Perform any testing that could impact availability (DoS/DDoS)
  • ❌ Execute social engineering attacks against employees or users
  • ❌ Spam our systems or send unsolicited communications
  • ❌ Exfiltrate or retain user data
  • ❌ Pivot to other systems or networks
  • ❌ Use findings for malicious purposes

7.2 Prohibited Actions

The following actions are strictly prohibited and will result in disqualification from this program and potential legal action:

  • Launching DoS/DDoS attacks
  • Conducting phishing or social engineering campaigns
  • Physical attacks or unauthorized physical access
  • Intentionally harming users or accessing their data
  • Extortion or demanding payment for vulnerability information
  • Selling or sharing vulnerability details with others
  • Violating privacy of Bondi users or employees
  • Causing intentional damage to systems or data

7.3 Test Accounts

Creating Test Accounts:

  • Use a clearly identifiable email (e.g., security-research@yourdomain.com)
  • Do not use other users’ accounts
  • Test accounts should not contain real or sensitive data
  • Clearly mark accounts as used for security research

If You Accidentally Access Real Data:

  • Stop testing immediately
  • Report to security@heybondi.com
  • Delete any obtained data
  • Do not disclose to others

8. Safe Harbor & Legal Protection

8.1 Our Good Faith Promise

We will not pursue legal action against researchers who:

  • Comply with this vulnerability disclosure policy
  • Report vulnerabilities in good faith
  • Do not intentionally harm users or systems
  • Act in the best interest of Bondi and our users

Activities conducted in accordance with this policy will be considered authorized conduct and we will not initiate legal action for:

US Laws:

  • Computer Fraud and Abuse Act (CFAA) violations
  • Digital Millennium Copyright Act (DMCA) Section 1201 violations
  • Breach of Terms of Service (for testing purposes)

International Laws:

  • We will work with you to provide safe harbor under applicable local laws
  • Contact us if you have concerns about your jurisdiction

8.3 Requirements for Safe Harbor Protection

To qualify for safe harbor, you must:

  • Follow this policy in all respects
  • Report vulnerabilities promptly (within 7 days of discovery)
  • Act in good faith and avoid unnecessary harm
  • Respect user privacy and data confidentiality
  • Comply with all disclosure coordination requirements
  • Not exploit vulnerabilities beyond proof-of-concept

8.4 Third-Party Systems

This safe harbor applies only to Bondi systems:

  • Third-party services (AWS, Stripe, etc.) have their own policies
  • We cannot provide safe harbor for testing third-party systems
  • Unauthorized testing of third-party services may violate their terms

9. Recognition & Rewards

9.1 Security Researcher Hall of Fame

We maintain a public Hall of Fame to recognize security researchers who help us improve our security:

Recognition Includes:

  • Your name or handle listed on heybondi.com/security/hall-of-fame
  • Categorized by severity of vulnerabilities found
  • Link to your website, Twitter, or professional profile (optional)
  • Public acknowledgment in security advisories (with permission)

Privacy:

  • Recognition is optional - you may request to remain anonymous
  • You control what information is displayed
  • You can request removal at any time

9.2 Current Bug Bounty Status

Note: Bondi does not currently offer monetary rewards for vulnerability reports. This is a recognition-only program at this time.

Future Plans:

  • We are evaluating the possibility of a paid bug bounty program
  • This policy will be updated if monetary rewards are introduced
  • Researchers who have contributed will be notified

9.3 Appreciation & Swag

For significant security findings, we may offer:

  • Bondi swag (t-shirts, stickers, etc.)
  • Handwritten thank you notes from our security team
  • Direct communication with engineering leadership
  • Testimonials or references for your professional portfolio

Rewards are discretionary and based on:

  • Severity and impact of vulnerability
  • Quality of the report and proof-of-concept
  • Adherence to responsible disclosure practices

10. Confidentiality & Privacy

10.1 Our Commitment to You

We will:

  • Keep your identity confidential unless you provide explicit permission
  • Protect the details of your vulnerability report
  • Use secure communication channels
  • Not share your report with unauthorized parties
  • Give you credit only with your permission

Exceptions:

  • Legal requirements (subpoenas, court orders)
  • Coordination with third-party vendors (with notice to you)
  • Active exploitation requiring immediate action

10.2 Your Responsibility

You should:

  • Keep vulnerability details confidential until coordinated disclosure
  • Not discuss findings publicly before disclosure
  • Not share reports with other researchers or media
  • Delete any data obtained during research
  • Maintain secure communication practices

10.3 Non-Disclosure Agreement (NDA)

  • We do not require NDAs for basic vulnerability reporting
  • For advanced collaboration, we may request mutual NDA
  • Any NDA will be fair and reasonable

11. Contact & Support

11.1 Security Team Contact

Primary Contact:

Mailing Address: Bondi Security Team
2803 Philadelphia Pike, Suite B #356
Claymont, DE 19703
United States

11.2 Questions & Clarifications

For Policy Questions:

  • Email security@heybondi.com with “Policy Question” in subject
  • Scope clarifications
  • Testing authorization requests
  • Disclosure timeline inquiries

For Non-Security Issues:

11.3 Emergency Contact

For Critical, Actively Exploited Vulnerabilities:

  • Email security@heybondi.com with “URGENT - ACTIVE EXPLOIT” in subject
  • We monitor 24/7 for critical issues
  • Expect faster response for active threats

12. Program Updates & Changes

12.1 Policy Modifications

This policy may be updated to reflect:

  • Expanded scope (new systems or domains)
  • Enhanced recognition or rewards programs
  • Clarifications based on researcher feedback
  • Legal or regulatory requirements
  • Security program maturity

12.2 Notification of Changes

For Material Changes:

  • Posted on this page with “Last Updated” date
  • Email notification to researchers who have previously reported
  • 30-day notice before significant changes take effect

For Minor Updates:

  • Updated immediately with revision date
  • No advance notification required

12.3 Feedback & Suggestions

We welcome feedback on this program:

  • Suggestions for improving the policy
  • Ideas for better researcher experience
  • Questions or clarifications needed

Email suggestions to: security@heybondi.com with “Program Feedback” in subject

13. Additional Resources

13.1 Security Documentation

  • Security Overview: heybondi.com/security
  • Privacy Policy: heybondi.com/legal/privacy-policy
  • Data Processing Agreement: heybondi.com/legal/gdpr-dpa
  • Cookie Policy: heybondi.com/legal/cookie-consent

13.2 Industry Standards

This program aligns with:

  • ISO/IEC 29147: Vulnerability disclosure
  • ISO/IEC 30111: Vulnerability handling processes
  • NIST Cybersecurity Framework
  • disclose.io Core Terms (responsible disclosure framework)
  • CVSS Calculator: first.org/cvss/calculator/3.1
  • OWASP Top 10: owasp.org/Top10
  • CWE Database: cwe.mitre.org
  • CVE Database: cve.mitre.org

14. Frequently Asked Questions

Q: Can I test without creating an account? A: For most testing, you should create a test account. If testing requires elevated access, contact us first.

Q: What if I find a vulnerability in a third-party service you use? A: Report it to that service provider and inform us at security@heybondi.com for coordination.

Q: How long should I wait before public disclosure? A: The standard is 90 days from initial report, but we’ll work with you on timing.

Q: Can I include findings in my portfolio or resume? A: Yes, after coordinated disclosure. Please follow responsible disclosure practices.

Q: What if I accidentally access real user data? A: Stop immediately, report to security@heybondi.com, and delete the data. This won’t disqualify you if accidental.

Q: Do you have a bug bounty program? A: Not currently. This is recognition-only. We may introduce monetary rewards in the future.

Q: Can I use automated scanners? A: Not without prior written permission. Contact security@heybondi.com to request authorization.

Q: What if my report is a duplicate? A: We’ll let you know and still appreciate the effort. First reporter gets credit.

15. Acknowledgments

We are grateful to the security research community for helping us maintain a secure platform. Thank you to all researchers who have responsibly disclosed vulnerabilities and contributed to Bondi’s security.

Special Thanks:

  • The global security research community
  • Organizations that have established responsible disclosure best practices
  • Our users who trust us with their data and hold us to high standards

Thank you for helping keep Bondi secure!

For questions or to report a vulnerability: security@heybondi.com