Responsible Disclosure Policy
At GoBright, your trust means everything to us. That’s why the security of our systems—and the protection of your data—is one of our top priorities. Despite our best efforts, vulnerabilities can still occur. If you’ve discovered one, we’d really appreciate your help in resolving it.
Here’s how you can help:
- Let us know what you’ve found by emailing [email protected].
- Please use our PGP key to encrypt your message—this helps to keep sensitive information secure.
- Do not exploit the issue: avoid downloading more data than necessary, or altering or deleting anything.
- We ask that you refrain from sharing information about the vulnerability publicly or with any third party for 90 days after you receive our initial response. We will work with you on a coordinated public disclosure after the issue is resolved.
- Please don’t use physical attacks, social engineering, DDoS, spam, or abuse of third-party applications.
- Include enough detail for us to reproduce the problem. A URL or IP address and a clear description usually do the trick.
What you can expect from us:
- We’ll respond within 3 working days with an initial update and estimated resolution time.
- In regard to the report if you follow the guidelines above. If you act in good faith and adhere to this policy during your security research, we will consider your research to be authorised. We will not initiate a lawsuit or a law enforcement investigation against you in response to your research. If legal action is initiated by a third party against you in connection with activities conducted under this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
- We’ll treat your report with strict confidentiality—we won’t share your personal details without your permission.
- You’ll be kept informed as we work on the fix.
- We’re happy to credit you as the discoverer (or keep you anonymous, if you prefer).
- As a token of our appreciation, we offer rewards for reports on qualifying, previously unknown security vulnerabilities. The decision to grant a reward is at our discretion. The reward amount is based on the vulnerability’s severity, its impact on our systems and users, and the quality of your report. Rewards for qualifying issues typically start at a €50 gift card for low-severity findings.
We’re committed to resolving issues as quickly as possible—and we’d love to work with you on a responsible public disclosure once everything is resolved.
Thanks for helping to keep GoBright secure.