LegalVulnerability Disclosure Policy
Vulnerability Disclosure Policy
1. Scope
1.1 In scope
Being Optimal–operated surfaces associated with beingoptimal.org and related first-party properties, including (as applicable):
| Surface | Examples |
|---|---|
| Primary site & app | https://beingoptimal.org, https://beingoptimal.org, signed-in planner shell |
| Help | https://help.beingoptimal.org |
| Community (if operated by us) | https://community.beingoptimal.org |
| Static assets | https://assets.beingoptimal.org |
| First-party APIs | Same-origin /api/* and related Being Optimal backends we control |
1.2 Out of scope
| Out of scope | Guidance |
|---|---|
| Third-party providers | Authentication, Database, Hosting, CDN/Edge, Cloud Infrastructure, Email Delivery, AI Model, Community Platform, Reverse-Geocoding, Billing, and other providers named in the Sub-processor List — report vulnerabilities to those providers under their programs |
| Physical attacks | Data-center or office physical intrusion |
| Social engineering | Phishing or social engineering of staff or users |
| Third-party sites | Unrelated websites linking to or from Being Optimal |
| Denial-of-service | Volumetric DoS/DDoS testing against production |
| Non-security bugs | Pure product defects without security impact (use [email protected]) |
If unsure whether a target is in scope, email [email protected] before testing.
2. Safe harbor
If you make a good-faith effort to comply with this policy during your research, [PENDING: LEGAL_ENTITY_NAME] will:
- Consider your research authorized under applicable computer-misuse laws to the extent we can grant such authorization;
- Not pursue civil legal action against you, or support criminal prosecution, related to that research;
- Work with you in good faith if others misconstrue your actions.
Limits:
- Safe harbor applies only to research on in-scope Being Optimal systems and does not bind third parties (including sub-processors or users).
- Safe harbor does not cover access to other users’ data, data exfiltration, extortion, public zero-day dumps, or intentional damage.
- If in doubt, ask at [email protected] before testing.
3. Rules of engagement
You must:
- Respect privacy — do not access, modify, exfiltrate, or store Personal Data (especially health data) that is not yours; use your own test accounts.
- Stop and report immediately if you encounter another person’s Personal Data.
- Avoid harm — no denial-of-service, spam, resource exhaustion, ransomware, or destructive testing.
- Avoid high-volume automated scanning that degrades service.
- Not pivot into third-party systems, other tenants’ data, or provider control planes.
- Not attempt to socially engineer staff or users.
- Give us reasonable time to remediate before any public disclosure (see §5).
- Not demand payment under threat of disclosure (extortion voids safe harbor).
You must not:
- Publicly publish exploit code or zero-day details before we have had a fair chance to remediate (coordinated disclosure);
- Sell or transfer vulnerability details to third parties other than us, except as required by law or mutually agreed coordinated disclosure channels.
4. How to report
Email [email protected] with:
| Field | Content |
|---|---|
| Summary | Clear title and impact assessment |
| Steps to reproduce | Minimal proof-of-concept — not a weaponized exploit pack |
| Affected URLs / endpoints | Host, path, method, timestamps (UTC) |
| Account used | Test account identifiers only |
| Suggested fix | Optional |
| Contact | How we can reach you for follow-up |
PGP: If we publish a PGP key (e.g., via security.txt), you may use it for sensitive reports. Until then, email is accepted.
Do not file security reports through public community forums or social media.
5. Coordinated disclosure
| Stage | Our aim |
|---|---|
| Acknowledgment | Prompt confirmation of receipt |
| Triage | Initial severity assessment and next steps |
| Remediation | Risk-prioritized fix on a reasonable timeline |
| Disclosure | Coordinated public disclosure by mutual agreement, typically up to 90 days from report, extendable for complex issues |
We ask that you:
- Keep the report confidential until we agree it is safe to disclose;
- Not publish zero-day details, credentials, or Personal Data;
- Allow time for users to update if a client-side fix is required.
If we fail to respond after repeated good-faith contact, you may escalate via [email protected] before any public statement.
6. Recognition and rewards
Being Optimal does not operate a paid bug-bounty program by default. We may:
- Thank researchers privately;
- Offer public acknowledgment (with permission);
- Announce a separate bounty program later with its own terms.
No reward is guaranteed.
7. Out-of-scope findings (typically not actionable as security bugs)
- Missing “best practice” headers without demonstrated impact;
- Rate-limit or spam reports without a concrete vulnerability;
- Self-XSS, clickjacking on non-sensitive public pages without impact;
- Theoretical issues without a working demonstration;
- Reports based solely on automated scanner output without validation;
- Vulnerabilities in out-of-scope third-party products.
8. security.txt
When published, machine-readable contact information will be available at:
https://beingoptimal.org/.well-known/security.txt
This policy remains the human-readable source of process and safe-harbor terms.