Vulnerability Disclosure

Please read the documentation below

Bypass.io Vulnerability Disclosure Policy

At Bypass.io, protecting the security and privacy of our platform and the data entrusted to us by our clients is paramount. We greatly appreciate the efforts of the security community in identifying vulnerabilities, and we invite responsible disclosures to help maintain the integrity of our services. This policy provides a framework for reporting vulnerabilities, outlining the scope, responsible testing guidelines, and our commitment to addressing valid reports.

Scope of the Policy

This policy pertains exclusively to the following assets:

  • Primary Domain: bypass.io
  • Subdomains: bypass.io/en/dashboard/.io, api.bypass.io
  • Mobile Applications (where applicable)

If you identify a vulnerability outside of the listed assets, please contact us for authorization before testing. Unauthorized testing of any other systems is not permitted.

Out-of-Scope Vulnerabilities

Certain vulnerabilities fall outside the scope of this policy. These include, but are not limited to:

  • Denial of Service (DoS) attacks
  • Descriptive error messages or system banners
  • Public directory or file disclosures, e.g., robots.txt
  • Known vulnerabilities in outdated libraries without a proven exploit
  • Misconfigurations not directly impacting security, such as HTTP methods or autocomplete fields in non-sensitive forms
  • Cross-Site Request Forgery (CSRF) vulnerabilities in logout forms
  • Clickjacking without a valid security risk
  • Mail configuration issues (e.g., SPF, DKIM, or DMARC settings)
  • Username enumeration vulnerabilities and login error messages
  • Self-XSS vulnerabilities exploitable only by the user

To ensure our systems remain stable and reliable for all users, we request that security researchers adhere to the following guidelines:

Responsible Testing Guidelines

  • Avoid Service Disruption: Testing should not impact system availability or functionality.
  • Respect Privacy: Do not access, store, or disclose any data that doesn’t belong to you.
  • Stay Within the Scope: Test only the assets listed in this policy’s scope section.
  • No Social Engineering: Avoid using phishing or social engineering tactics against Bypass.io employees, customers, or partners.
  • No Excessive Load Testing: Avoid tests that could create a large volume of requests, including DoS and brute-force attacks.

How to Report a Vulnerability

If you discover a security vulnerability, please report it via email to [email protected].

Your report should include:

  • Detailed Description: A clear summary of the vulnerability.
  • Reproduction Steps: Specific steps that illustrate how to replicate the issue.
  • Potential Impact: An explanation of the possible effects on our system or user data.
  • Supporting Evidence: Screenshots, logs, or other documentation that can help us assess the issue.

What You Can Expect from Us

  1. Timely Acknowledgment: We aim to acknowledge receipt of vulnerability reports within 3–4 business days.
  2. Ongoing Communication: We will work with you to understand the vulnerability and its potential impact.
  3. Remediation Transparency: You’ll receive updates on the steps we take to remediate verified vulnerabilities.
  4. Recognition: Where appropriate and with your consent, we may acknowledge your contribution on our security page for responsibly reported and resolved issues.

Legal Safe Harbor

Bypass.io considers research conducted in compliance with this policy as authorized and will not pursue legal action against researchers who adhere to these terms. Should a legal claim arise from a third party, Bypass.io will clarify that your actions were within the scope of this policy.

Bug Bounty Program

Currently, Bypass.io does not operate a bug bounty program. While no financial rewards are available at this time, we value and recognize contributions from security researchers who responsibly report vulnerabilities. If this changes, we will update our website accordingly.

Confidentiality and Disclosure

We ask that you keep details of any vulnerabilities confidential until we have had a chance to investigate and address them. Publicly disclosing the vulnerability before it is resolved may impact our systems or endanger users, so please wait for our confirmation before sharing any findings.

Policy Updates

Bypass.io reserves the right to amend this policy as necessary. We encourage researchers to review this page periodically to stay informed of any updates.

Contact Information

For any questions or to report a vulnerability, reach out to our security team at [email protected]

By following this policy, you help us maintain a secure platform and contribute to the safety and trust of our online community. We appreciate your collaboration and commitment to responsible security research.