Responsible Disclosure Policy

At BlueBear, we take security seriously. We appreciate the efforts of security researchers and the broader community in helping us keep our services safe and reliable. This policy outlines how we handle vulnerability reports and disclosure, and what we expect from researchers.

Our Commitments

If you report a security issue in accordance with this policy:

• We will respond promptly, usually within 2 business days.
• We will treat your report with respect and confidentiality.
• We can provide a test environment if you want to confirm any findings.
• We aim to act quickly on all security reports, where possible to mitigate in under a week.
• We will keep you informed as we investigate and resolve the issue.
• We may acknowledge your contribution publicly (with your permission, of course).

What We Ask of You

To ensure a productive and respectful process, we ask that you:

• Act in good faith and avoid violating privacy, destroying data, or affecting service availability.
• Avoid (further) testing against production systems, especially automated or high-volume operations.
• Do not access, modify, or delete data that isn't yours.
• Give us a reasonable amount of time to fix the issue before public disclosure.
• Use our preferred contact method: security@bluebear.nl.

Safe Harbour

We won't take legal action against research that is conducted in good faith and in line with the intent of our policy.
Be ethical, be responsible, and don't be a jerk, and we'll do the same.

Out of Scope

While we appreciate curiosity, please note the following are considered out of scope:

• Denial of Service (DoS/DDoS) attacks, including bandwidth exhaustion, CPU exhaustion, or brute force against public endpoints.
• Automated scanning or fuzzing of production systems (we reserve the right to block IPs without notice).
• Social engineering of BlueBear employees, contractors, or customers.
• Physical attacks against our offices or data centres.
• Spam, clickjacking, tab-nabbing, or UI redress attacks without a clearly exploitable impact.
• TLS/SSL configuration issues (e.g. lack of HSTS, weak ciphers) unless demonstrably exploitable.
• Missing HTTP headers (e.g., X-Frame-Options) unless proven exploitable.
• Vulnerabilities in third-party services unless they clearly impact our users or infrastructure.

These items aren't listed to shut down research, they're here to reduce noise, avoid unintended impact, and help us focus on what matters most.

If you're unsure whether something is in scope, just ask us. We're happy to clarify.

Note: This policy doesn't constitute a prior authorisation or consent for testing, please don't interpret it as such. Reach out if you're actively looking, we'll do our best to say yes (or at least reply quickly).

Bug Bounty

We don't currently offer a paid bug bounty programme.
That said, we're always open to recognising meaningful contributions, including credit and swag (suggestions are welcome) or at the very least gratitude-laced email replies.

Contact

• Email: security@bluebear.nl
• Preferred languages: English, Dutch
• See also: bluebear.nl/security and security.txt

Thank You

We deeply appreciate researchers who help keep BlueBear secure.
If you've found something, or even if you're just curious, don't hesitate to get in touch. We'll treat you with respect, and we hope to earn yours in return.