Request a Demo
Request a Demo

Safe Harbor Policy

We believe in peer review as a company founded by scientists. That's why we support the independent security community to help us maintain the security of our systems and protect sensitive information from unauthorized disclosure. We encourage security researchers to contact us to report potential vulnerabilities identified in Bitstry products and services.

This policy specifies:

  • What systems and applications are in scope

  • What types of security research methods are covered

  • How to report potential security vulnerabilities to us

  • Our vulnerability disclosure philosophy and how long we will ask you to wait before publicly disclosing vulnerabilities

Bitstry will acknowledge receipt of reports that comply with vulnerability disclosure policy within five (5) business days. Upon receipt, we will endeavor to validate submissions, implement corrective actions (if appropriate), and inform researchers of the disposition of reported vulnerabilities with minimum delay.

If you make a good faith effort to comply with this policy during your security research, we will consider your research to be authorized per Bistry's safe harbor policy. We will work with you to understand and resolve the issue quickly and will not recommend or pursue legal action against you for any of your action(s) related to your research.

Test methods

Security researchers must not:

  • Test any system other than the systems set forth in the Scope section below

  • Engage in social engineering

  • Send unsolicited electronic mail to Bitstry users, including “phishing” messages

  • Execute or attempt to execute “denial of service” or “resource exhaustion” attacks

  • Introduce malicious software in the systems of Bitstry or any third party

  • Perform tests that could degrade the operation of Bitstry systems or intentionally impair, disrupt, or disable SEC systems

  • Test third-party applications, websites, or services that integrate with or link to or from Bitstry systems

  • Delete, alter, share, retain, or destroy Bitstry data, or render Bitstry data inaccessible

  • Use an exploit to exfiltrate data, establish command line access, establish a persistent presence on Bitstry systems, or “pivot” to other Bitstry systems

  • Disclose vulnerability information except as set forth in the Reporting a vulnerability and Disclosure sections below

  • Engage in physical testing of facilities or resources

Security researchers may:

  • View or store Bitstry nonpublic data only to the extent necessary to document the presence of a potential vulnerability

Security researchers must:

  • Cease testing and notify us immediately upon discovery of a vulnerability

  • Cease testing and notify us immediately upon discovery of an exposure of nonpublic data

  • Purge any stored nonpublic data upon reporting a vulnerability

Scope

The following products, systems and services are in scope:

  • All Bitstry security, protection, and cybersecurity services

  • Bitstry CRM, ERP and Billing

  • Bitstry Identity Verification

  • Bitstry NDA Helper

  • Bistry Compliance and Protection

  • Bitstry Digital Certificates

Any services not explicitly listed above are excluded from the scope of this policy. For clarity, this includes, but is not limited to:

  • Spam

  • Social engineering techniques

  • Denial-of-service attacks

  • Content injection is out of scope unless you can clearly demonstrate a significant risk to Proton or its users

  • Executing scripts on sandboxed domains

  • Security issues outside the scope of Bitstry's mission

  • Bugs that require exceedingly unlikely user interactions

  • WordPress bugs (please report those to WordPress)

  • Proof of concepts that require physical access to the device

  • Out-of-date software: For a variety of reasons, we do not always run the most recent software versions, but we do run software that is fully patched

  • Flaws impacting out-of-date browsers

Reporting a vulnerability

Reports are accepted via electronic mail at hr@bitstry.com. Acceptable message formats are plain text, rich text, and HTML. We encourage you to encrypt submissions using our PGP public key when submitting vulnerabilities.

  • We prefer reports that include proof-of-concept code demonstrating an exploitation of the vulnerability

  • Reports should provide a detailed technical description of the steps required to reproduce the vulnerability, including a description of any tools needed to identify or exploit the vulnerability

  • Images (e.g., screen captures) and other documents may be attached to reports. It is helpful to give attachments illustrative names

  • We request that any scripts or exploit code be embedded into non-executable file types

  • We can process all common file types and archives, including zip, 7zip, and gzip

Researchers may submit reports anonymously or provide contact information, including how and when the Bitstry Security team should contact them. We may contact researchers to clarify aspects of the submitted report or gather other technical information.

By submitting a report to Bitstry, you affirm that the report and any attachments do not violate the intellectual property rights of any third party. You also grant Bitstry a non-exclusive, royalty-free, worldwide, perpetual license to use, reproduce, create derivative works, and publish the report and any attachments.

Disclosure

We require that you refrain from sharing information about discovered vulnerabilities for 120 calendar days after you have received our acknowledgement of receipt of your report. If you believe others should be informed of the vulnerability prior to our implementation of corrective actions, you must coordinate in advance with the Bitstry Security team.

We may share vulnerability reports with affected vendors. We will not share the names or contact data of security researchers unless given explicit permission.

Questions?

Questions regarding this policy may be sent to hr@bitstry.com. Bitstry encourages security researchers to contact us for clarification on any element of this policy.

Please contact us if you are unsure if a specific test method is inconsistent with or unaddressed by this policy before you begin testing. We also invite security researchers to contact us with suggestions for improving this policy.

In case of discrepancy between the English version of this content and any translated version, the English version shall prevail.