# Security Policy

Thank you for your interest in helping us improve the security of our open source products, websites and other properties.

We have created this Bug Bounty program to appreciate and reward your efforts.

## Reporting a Vulnerability

Please report (suspected) security vulnerabilities to
**[support+security@bsf.io](mailto:support+security@bsf.io)**. You will receive a response from
us within 48 hours. If the issue is confirmed, we will release a patch as soon
as possible depending on complexity but historically within a few days.

We have [a bug bounty program](https://brainstormforce.com/bug-bounty-program/) too which gives people guidelines on how a report should be reported and how we can reward them for proper reporting.

If our  team cannot reproduce and verify an issue, a bounty cannot be awarded. To help streamline our intake process, we ask that submissions include:

- Description of the vulnerability
- Steps to reproduce the reported vulnerability
- Proof of exploitability (e.g. screenshot, video)
- Perceived impact to another user or the organization
- Proposed CVSSv3 Vector & Score (without environmental and temporal modifiers)
- List of URLs and affected parameters
- Other vulnerable URLs, additional payloads, Proof-of-Concept code
- Browser, OS and/or app version used during testing
- Impact of the bug

Security reports should be sent to **[support+security@bsf.io](mailto:support+security@bsf.io)**

For more details, please [visit this page](https://brainstormforce.com/bug-bounty-program/).

Once again, thank you for helping us improve security. We really appreciate it.