Responsible Disclosure

Scope

This policy applies to vulnerabilities in our public-facing websites, APIs, and applications. We are not able to accept reports for third-party services or client systems.

Guidelines

We ask that you:

• Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our services
• Give us reasonable time to respond to your report before making any information public
• Do not access or modify data that does not belong to you
• Act in good faith to avoid privacy violations, data destruction, and service interruption
• Only test against accounts you own or have explicit permission to test

How to Report

Please send your findings to security@losbebesinc.com. Include:

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Any suggestions for remediation

What to Expect

• Acknowledgment of your report within 2 business days
• Regular updates on our progress
• Credit in our security acknowledgments (if desired)
• No legal action against researchers acting in good faith

Out of Scope

The following are not in scope:

• Denial of service attacks
• Social engineering attacks on our employees
• Physical attacks on our offices or data centers
• Attacks against third-party services we use
• Spam or social engineering techniques

Safe Harbor

We consider security research conducted consistent with this policy to be authorized, and we will not pursue legal action against researchers for accidental, good faith violations. We ask that you contact us before engaging in conduct that may be inconsistent with or unaddressed by this policy.