Skip to content
Being Optimal
Trust CenterPrivacyTermsPlans

Legal / Vulnerability Disclosure Policy

Vulnerability Disclosure Policy

Version 1.0.0-draft · Effective 2026-07-13 · Operator [PENDING: LEGAL_ENTITY_NAME]

Operator draft — not legal advice; counsel review required before relying on this text.

Contents

  1. 1. Scope
  2. 1.1 In scope
  3. 1.2 Out of scope
  4. 2. Safe harbor
  5. 3. Rules of engagement
  6. 4. How to report
  7. 5. Coordinated disclosure
  8. 6. Recognition and rewards
  9. 7. Out-of-scope findings (typically not actionable as security bugs)
  10. 8. security.txt
  11. Related documents

1. Scope

1.1 In scope

Being Optimal–operated surfaces associated with beingoptimal.org and related first-party properties, including (as applicable):

Surface Examples
Primary site & app https://beingoptimal.org, https://beingoptimal.org, signed-in planner shell
Help https://help.beingoptimal.org
Community (if operated by us) https://community.beingoptimal.org
Static assets https://assets.beingoptimal.org
First-party APIs Same-origin /api/* and related Being Optimal backends we control

1.2 Out of scope

Out of scope Guidance
Third-party providers Authentication, Database, Hosting, CDN/Edge, Cloud Infrastructure, Email Delivery, AI Model, Community Platform, Reverse-Geocoding, Billing, and other providers named in the Sub-processor List — report vulnerabilities to those providers under their programs
Physical attacks Data-center or office physical intrusion
Social engineering Phishing or social engineering of staff or users
Third-party sites Unrelated websites linking to or from Being Optimal
Denial-of-service Volumetric DoS/DDoS testing against production
Non-security bugs Pure product defects without security impact (use [email protected])

If unsure whether a target is in scope, email [email protected] before testing.


2. Safe harbor

If you make a good-faith effort to comply with this policy during your research, [PENDING: LEGAL_ENTITY_NAME] will:

  • Consider your research authorized under applicable computer-misuse laws to the extent we can grant such authorization;
  • Not pursue civil legal action against you, or support criminal prosecution, related to that research;
  • Work with you in good faith if others misconstrue your actions.

Limits:

  • Safe harbor applies only to research on in-scope Being Optimal systems and does not bind third parties (including sub-processors or users).
  • Safe harbor does not cover access to other users’ data, data exfiltration, extortion, public zero-day dumps, or intentional damage.
  • If in doubt, ask at [email protected] before testing.

3. Rules of engagement

You must:

  1. Respect privacy — do not access, modify, exfiltrate, or store Personal Data (especially health data) that is not yours; use your own test accounts.
  2. Stop and report immediately if you encounter another person’s Personal Data.
  3. Avoid harm — no denial-of-service, spam, resource exhaustion, ransomware, or destructive testing.
  4. Avoid high-volume automated scanning that degrades service.
  5. Not pivot into third-party systems, other tenants’ data, or provider control planes.
  6. Not attempt to socially engineer staff or users.
  7. Give us reasonable time to remediate before any public disclosure (see §5).
  8. Not demand payment under threat of disclosure (extortion voids safe harbor).

You must not:

  • Publicly publish exploit code or zero-day details before we have had a fair chance to remediate (coordinated disclosure);
  • Sell or transfer vulnerability details to third parties other than us, except as required by law or mutually agreed coordinated disclosure channels.

4. How to report

Email [email protected] with:

Field Content
Summary Clear title and impact assessment
Steps to reproduce Minimal proof-of-concept — not a weaponized exploit pack
Affected URLs / endpoints Host, path, method, timestamps (UTC)
Account used Test account identifiers only
Suggested fix Optional
Contact How we can reach you for follow-up

PGP: If we publish a PGP key (e.g., via security.txt), you may use it for sensitive reports. Until then, email is accepted.

Do not file security reports through public community forums or social media.


5. Coordinated disclosure

Stage Our aim
Acknowledgment Prompt confirmation of receipt
Triage Initial severity assessment and next steps
Remediation Risk-prioritized fix on a reasonable timeline
Disclosure Coordinated public disclosure by mutual agreement, typically up to 90 days from report, extendable for complex issues

We ask that you:

  • Keep the report confidential until we agree it is safe to disclose;
  • Not publish zero-day details, credentials, or Personal Data;
  • Allow time for users to update if a client-side fix is required.

If we fail to respond after repeated good-faith contact, you may escalate via [email protected] before any public statement.


6. Recognition and rewards

Being Optimal does not operate a paid bug-bounty program by default. We may:

  • Thank researchers privately;
  • Offer public acknowledgment (with permission);
  • Announce a separate bounty program later with its own terms.

No reward is guaranteed.


7. Out-of-scope findings (typically not actionable as security bugs)

  • Missing “best practice” headers without demonstrated impact;
  • Rate-limit or spam reports without a concrete vulnerability;
  • Self-XSS, clickjacking on non-sensitive public pages without impact;
  • Theoretical issues without a working demonstration;
  • Reports based solely on automated scanner output without validation;
  • Vulnerabilities in out-of-scope third-party products.

8. security.txt

When published, machine-readable contact information will be available at:

https://beingoptimal.org/.well-known/security.txt

This policy remains the human-readable source of process and safe-harbor terms.


Related documents

  • Security And Compliance
  • Privacy Policy
  • Contact And Legal Notices
  • Sub Processor List

Content hash: b96317105b16… · Built 2026-07-15

← Back to Legal hub

© 2026 Being Optimal · Planning context, not medical advice.

Legal hub · Terms · Privacy · Cookies · Medical disclaimer · Contact