PricingSign inRequest a Demo

Report a Vulnerability

Bindplane Vulnerability Disclosure Program

We take the security of Bindplane and our customers seriously. Our Vulnerability Disclosure Program encourages ethical security researchers to identify and report potential security weaknesses. Responsible reporting helps us proactively improve our platform and keep our users safe.

How to Report a Vulnerability

Please send suspected vulnerabilities to [email protected] with the subject line: “Vulnerability Report”.

When submitting a report, please include:

  • A clear description of the issue.

  • Step-by-step instructions to reproduce the behavior.

  • Proof of concept (screenshots, code, or video).

  • Assessment of the potential impact.

  • Your name and contact information for follow-up.

What Happens After You Report

  • Acknowledgment: We confirm receipt of your submission within 24–48 hours.

  • Triage: Our security team reviews your report for validity and scope within 5 business days.

  • Investigation: If needed, we may contact you for clarification or additional information.

  • Resolution: Validated issues are remediated as quickly as possible.

  • Communication: We will update you on the resolution progress.

Scope

In-Scope Systems

The following systems and domains are covered by this Vulnerability Disclosure Program:

Out-of-Scope Systems

The following systems and domains are explicitly excluded from this program:

  • Third-party services and applications used by our company

  • Physical security vulnerabilities at our offices

  • Social engineering attacks against our employees

  • Internal corporate systems (mail servers, intranet, etc.)

  • Staging, development, or test environments

  • Systems or services hosted by third-party providers (unless specifically listed as in-scope)

Qualifying Vulnerability Types

The following types of vulnerabilities qualify for our program:

  • Remote Code Execution (RCE)

  • SQL Injection

  • Authentication or authorization flaws

  • Server-Side Request Forgery (SSRF)

  • Cross-Site Scripting (XSS)

  • Cross-Site Request Forgery (CSRF)

  • Business logic vulnerabilities

  • Sensitive data exposure

  • Insecure Direct Object References (IDOR)

  • Security misconfiguration

  • Email spoofing vulnerabilities (SPF/DKIM/DMARC issues)

Non-Qualifying Vulnerability Types

The following types of vulnerabilities are not eligible for rewards:

  • Denial of Service (DoS or DDoS) attacks

  • Rate limiting issues that do not lead to security vulnerabilities

  • Clickjacking with no demonstrated impact

  • Self-XSS requiring significant user interaction

  • Vulnerabilities in outdated browsers or platforms

  • Recently disclosed vulnerabilities (within 30 days)

  • Missing security headers with no demonstrated impact

  • Vulnerabilities requiring physical access to a user's device

  • Attacks requiring MITM (Man in the Middle) or physical network access

  • Vulnerabilities affecting users with outdated or modified browsers

  • Issues related to HTTP Public Key Pinning

  • Lack of password complexity requirements

  • Username/email enumeration with no demonstrated security impact

  • Mixed content warnings

Rewards and Recognition

We are a small, distributed team, so while we may not always offer financial rewards, we want to recognize your contributions. Depending on the severity and quality of your report, rewards may include:

  • Critical findings: Eligible for our highest-tier rewards, such as larger gift cards or premium swag bundles (hoodies, mugs, sticker packs).

  • High-severity findings: Eligible for meaningful rewards, such as mid-value gift cards or branded swag (hoodies, t-shirts, sticker packs).

  • Medium-severity findings: Eligible for modest rewards, such as smaller gift cards, t-shirts, or mugs.

  • Low-severity findings: Eligible for a token of appreciation - sticker packs, mugs, or a shout-out in our Hall of Fame.

  • Out-of-scope or non-qualifying reports: While not eligible for material rewards, we may still recognize your effort with thanks and, where possible, community recognition.

Note: Reward type and amount are determined at the discretion of the Bindplane Security Team and Bindplane Security Advisory Board, based on severity, impact, and report quality.

Rules of Engagement

To protect our users and systems, please follow these guidelines:

  • Only test in-scope systems.

  • Do not attempt denial of service or degrade performance.

  • Avoid accessing, modifying, or deleting data that is not yours. If you accidentally access sensitive information, stop immediately and notify us.

  • Limit any data accessed to what is necessary to demonstrate the vulnerability.

  • Do not attempt phishing, social engineering, or physical attacks.

  • Avoid automated scanning without prior approval.

  • Your research must comply with all applicable laws and regulations.

  • Only the first responsible submission of a vulnerability with actionable details will be considered for recognition.

Safe Harbor

Researchers who follow these guidelines and submit in good faith will be considered authorized under applicable law. We will not take legal action against responsible disclosure participants.

Disclosure

By participating in this program you agree to not publicly disclose vulnerabilities until they have been confirmed and remediated. We will work with you to coordinate safe disclosure where appropriate.

PreviousCreate a Support BundleNextFrequently Asked Questions

Last updated

Was this helpful?