Vulnerability Disclosure Policy

Effective Date: November 2, 2025

Our Commitment

At Bear Billing, we value the security research community. We encourage responsible disclosure of security vulnerabilities and commit to:

  • Acknowledging reports promptly (within 3 business days)
  • Investigating all legitimate reports
  • Working to fix verified vulnerabilities quickly
  • Keeping you informed of our progress
  • Recognizing your contribution publicly (if desired)

Safe Harbor

We will not pursue legal action against researchers who act in good faith, follow this policy, and do not cause harm. We will work with you to understand and resolve security issues.

Scope

In Scope:

  • https://api.bearbilling.com/*
  • https://app.bearbilling.com/*
  • https://bearbilling.com/*
  • https://docs.bearbilling.com/*

Out of Scope:

  • Third-party services (Stripe, hosting providers)
  • Services on domains not owned by Bear Billing
  • Social engineering attacks
  • Physical security
  • Denial-of-service attacks

Priority Vulnerabilities

High Priority

SQL injection, RCE, authentication bypass, authorization flaws, SSRF

Medium Priority

XSS with impact, CSRF with impact, business logic flaws, information disclosure

Low Priority

Security misconfiguration, missing headers with proven impact, clickjacking

How to Report

Email: [email protected]

Please include:

  • Description of the vulnerability
  • Detailed steps to reproduce
  • Proof of concept (code, screenshots, or video)
  • Your assessment of impact and severity
  • Your email and name (for acknowledgment)

What to Expect

  • Initial Response: Within 3 business days
  • Validation: Within 7 business days
  • Regular Updates: Every 7 days until resolved
  • Fix Timeline:
    • Critical: 7 days
    • High: 14 days
    • Medium: 30 days
    • Low: 90 days

Guidelines

✅ Please Do

  • • Use your own test accounts
  • • Report vulnerabilities promptly
  • • Provide detailed reproduction steps
  • • Give us time to fix before public disclosure
  • • Delete any data created during testing

❌ Please Don't

  • • Access or modify other users' data
  • • Perform DoS attacks
  • • Use social engineering or phishing
  • • Test third-party services
  • • Publicly disclose before we fix

Recognition

We recognize security researchers who help us improve our security:

  • Security Hall of Fame - Public recognition on our website
  • Credit in Advisories - Acknowledgment when we publish fixes
  • Reference Letters - Upon request for critical findings

Note: We do not currently have a paid bug bounty program, but plan to launch one in the future.

Coordinated Disclosure

We practice coordinated disclosure:

  • • We'll notify you when the fix is deployed
  • • We'll coordinate on public disclosure timing (typically 30-90 days after fix)
  • • We'll publish security advisory and credit you (if desired)

Contact

Report Vulnerabilities: [email protected]

Policy Questions: [email protected]

Response Time: Within 3 business days (24 hours for urgent issues)

Thank You

We appreciate the security research community's efforts to keep Bear Billing and our customers safe. Your responsible disclosure helps us maintain a secure service. Thank you for making the internet safer!