VULNERABILITY DISCLOSURE PROGRAM

Help us stay secure.

We welcome reports from the security research community. This policy describes the rules of engagement, expectations, and rewards.

Found a vulnerability?

Send your findings to security@badex.app — encrypted if possible.

📧 Email security@badex.app 🐙 Report via GitHub

Our process

  1. 1
    Acknowledgment
    We acknowledge receipt within 24 hours (critical) or 7 days (other).
  2. 2
    Triage & Verification
    We reproduce the issue and assess severity using CVSS 3.1.
  3. 3
    Fix Development
    We develop, test, and deploy a fix following our SDLC.
  4. 4
    Customer Notification
    If customers are affected, we notify them per GDPR breach notification requirements (within 72h).
  5. 5
    Public Disclosure
    After fix is deployed and customers are notified, we publish a public advisory (typically 90 days after fix). Reporter credit on request.

Severity & response times

Severity Acknowledgment Patch target Examples
Critical 24 hours 7 days Remote code execution, authentication bypass, mass customer data exposure
High 48 hours 14 days Privilege escalation, sensitive data leak, stored XSS with admin impact
Medium 7 days 30 days IDOR, reflected XSS, business logic flaws
Low 14 days 90 days Information disclosure (low impact), minor configuration issues

In Scope

  • *.badex.app domains (signature, invoice, portal, monitor, support)
  • Authentication and authorization flows
  • Customer data access controls (tenant isolation)
  • API endpoints (all public REST endpoints)
  • Microsoft 365 OAuth integration
  • Webhook endpoints (Microsoft Graph callbacks)

Out of Scope

  • Denial of Service (DoS/DDoS) attacks against production
  • Social engineering of Badex employees
  • Physical attacks on infrastructure
  • Issues in third-party services already disclosed (Microsoft, Cloudflare, etc.)
  • Best-practice findings without security impact (e.g., missing security headers without exploitation)
  • Self-XSS or attacks requiring physical access to victim device

Safe Harbor

Badex commits not to pursue legal action against security researchers who follow this disclosure policy in good faith. This includes:

  • No legal action under the Computer Fraud and Abuse Act (CFAA) or DMCA
  • No legal action for circumventing access controls solely to demonstrate the vulnerability
  • We waive applicable terms of service violations strictly necessary to your research

Provided that you: (1) only access data necessary to confirm the vulnerability, (2) do not exfiltrate, modify, or delete production data, (3) report promptly without public disclosure prior to fix.