Security Policy

Reporting a vulnerability

If you discover a security vulnerability in Buglyst, please report it responsibly. Do not open a public GitHub issue or post it publicly.

Email your findings to security@buglyst.com. Include:

• A clear description of the vulnerability.
• Steps to reproduce it.
• The potential impact (data exposure, privilege escalation, etc.).
• Your suggested fix if you have one.

What to expect

• We will acknowledge your report within 3 business days.
• We will investigate and, if confirmed, work to remediate within 30 days for critical issues and 90 days for lower-severity issues.
• We will notify you when the issue is resolved and credit you in the changelog if you wish.

Safe harbour

Security research conducted in good faith is welcome. We will not pursue legal action against researchers who:

• Report vulnerabilities promptly and do not exploit them beyond proof of concept.
• Do not access, modify, or destroy other users' data.
• Do not perform denial-of-service attacks or disruptive testing on production.
• Do not publicly disclose details before we have had a reasonable time to respond.

Testing against your own locally running instance is always fine and preferred.

Out of scope

• Attacks against the production service (DoS, brute force, scanning).
• Social engineering of team members.
• Vulnerabilities in third-party services we depend on (report those upstream).
• Rate-limit bypasses that do not result in meaningful data exposure.