The Responsible Disclosure Policy gives external security researchers a safe, predictable way to report vulnerabilities they find in botBrains systems. We welcome these reports and treat them as a valuable input to our security. A report received here enters the Incident Management Policy process and is triaged and remediated like any other security event.
botBrains is not yet ISO 27001 certified. We are preparing our ISMS and writing these policies as part of pursuing certification, and we fully intend to get our controls attested.
How to report
Send vulnerability reports to security@botbrains.io. A good report includes a description of the issue, the affected URL, endpoint, or component, the steps to reproduce it, and any proof-of-concept material. You may submit reports in English or German. Please report in private and give us a reasonable opportunity to fix the issue before disclosing it publicly.
Scope
In scope are botBrains-operated services and their public surfaces, including the platform at platform.botbrains.io, the chat widget at chat.botbrains.io, and the botBrains API. The following are out of scope:
| Out of scope | Reason |
|---|
| Third-party services and our subprocessors | Report these to the provider directly. See the subprocessor list. |
| Findings that require physical access, social engineering, or phishing of botBrains personnel | Not a technical vulnerability in our systems. |
| Volumetric denial-of-service and automated scanner output without a demonstrated impact | Low signal and potentially disruptive. |
| Customer-controlled configuration or content | Belongs to the customer as controller. |
Safe harbour
botBrains won’t pursue or support legal action against researchers who act in good faith under this policy. Acting in good faith means you stay within the scope set out here, make a genuine effort to avoid privacy violations, data destruction, and service disruption, only interact with accounts you own or have explicit permission to test, don’t access, modify, or retain personal data or customer data beyond the minimum needed to demonstrate the issue, and give us a reasonable time to remediate before any public disclosure. If you accidentally encounter personal or customer data, stop, don’t save or share it, and tell us in your report. We won’t treat researchers who follow this policy as having violated it where they acted in good faith.
No bounty
botBrains doesn’t operate a paid bug bounty programme and doesn’t offer monetary rewards for reports. We will acknowledge your report, keep you informed, and credit you for a valid finding if you would like that. We state this plainly so expectations are clear.
What to expect from us
| Stage | Our commitment |
|---|
| Acknowledgement | We aim to confirm receipt of your report within a few business days. |
| Triage | The CISO assesses and assigns severity using the Incident Management Policy. |
| Remediation | We fix valid findings on a timeline driven by severity. We prioritize validated, exploitable issues. |
| Closure | We let you know when we resolve the issue. |
ISO 27001 mapping
This policy supports Annex A 5.7 (threat intelligence), 6.8 (information security event reporting), and 8.8 (management of technical vulnerabilities). We remediate reported issues under the Vulnerability Management Policy.
Review
The CISO owns this policy and reviews it at least annually and on any material change.