Bruin Data Limited

Vulnerability Disclosure Program

Last updated: January 23, 2026

At Bruin, we take the security of our systems and our users' data seriously. We value the work of security researchers who help us identify and address vulnerabilities. This policy outlines how to report security issues to us and what you can expect when you do.

Reporting a Vulnerability

If you believe you have discovered a security vulnerability in any Bruin-owned service, we encourage you to report it to us as soon as possible. Please send your findings to:

Scope

This vulnerability disclosure program covers:

Out of Scope

The following are not covered by this program:

  • Denial of Service (DoS) or Distributed Denial of Service (DDoS) attacks
  • Physical security testing
  • Social engineering attacks (e.g., phishing, pretexting)
  • Attacks against our employees or users
  • Third-party services, applications, or websites that integrate with Bruin
  • Vulnerabilities in third-party software or dependencies (please report these to the respective maintainers)
  • Spam or issues related to email configuration (SPF, DKIM, DMARC)
  • Missing security headers that do not lead to direct exploitation
  • Clickjacking on pages without sensitive actions
  • Self-XSS (cross-site scripting that only affects the user's own session)

Guidelines

When conducting security research, we ask that you:

  • Act in good faith and avoid actions that could harm Bruin, our users, or our services
  • Do not access, modify, or delete data that does not belong to you
  • Do not disrupt our services or degrade the experience for our users
  • Only interact with accounts you own or have explicit permission to test
  • Do not publicly disclose the vulnerability until we have had a reasonable opportunity to address it
  • Provide us with sufficient detail to understand and reproduce the issue
  • Avoid automated scanning tools that could generate excessive traffic

What to Include in Your Report

To help us address the issue quickly, please include:

  • A clear description of the vulnerability
  • Step-by-step instructions to reproduce the issue
  • The affected URL, endpoint, or component
  • Any relevant screenshots, videos, or proof-of-concept code
  • The potential impact of the vulnerability
  • Your recommended remediation, if any

Our Response

When you submit a vulnerability report, you can expect:

  • An acknowledgment of your report within 3 business days
  • Regular updates on the status of your report
  • Notification when the vulnerability has been resolved
  • Credit for your discovery, if you wish (see Recognition below)

We aim to resolve critical vulnerabilities as quickly as possible. The timeline for resolution depends on the complexity and severity of the issue.

Safe Harbor

If you conduct security research in accordance with this policy, we consider your research to be authorised and will not pursue legal action against you. We will work with you to understand and resolve the issue quickly.

If legal action is initiated by a third party against you for activities that were conducted in accordance with this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

This safe harbour applies only to legal claims under our control. It does not apply to actions taken by third parties or to activities that violate the guidelines outlined above.

Recognition

We are grateful to security researchers who help us keep Bruin secure. With your permission, we will acknowledge your contribution when we disclose the vulnerability.

Please note that we do not currently offer monetary rewards or bounties for vulnerability reports. We hope to introduce a formal bug bounty program in the future.

Contact Us

If you have any questions about this policy or need to report a security issue, please contact us: