Responsible Disclosure Policy
Backbuild welcomes reports from the security research community. We believe that working openly with researchers makes our products safer for everyone. This policy describes what is in scope, how to report a vulnerability, what you can expect from us, and the safe harbor we extend to good-faith researchers who follow these rules.
Scope
In scope
*.backbuild.aiproduction web properties and APIs- Backbuild mobile and desktop applications distributed by Gable Digital Solutions, Inc.
- Backbuild CLI and SDKs published to public package registries
- Authentication, authorization, and session management flows
- Multi-tenant data isolation issues between organizations
- Server-side request forgery, injection, deserialization, and similar classes
Out of scope
- Third-party services we depend on (Cloudflare, Stripe, identity providers) — report to the vendor
- Denial of service, volumetric attacks, or resource exhaustion tests
- Social engineering of Backbuild employees, customers, or contractors
- Physical attacks against Backbuild offices or personnel
- Reports from automated scanners without demonstrated impact
- Missing best-practice headers or cookie flags without a concrete exploit
- Clickjacking on pages without sensitive actions
- Self-XSS requiring the victim to paste attacker-controlled content
dev.*,staging.*, and other non-production environments unless explicitly invited
Reporting process
- Email security@backbuild.ai with the subject line
VULNERABILITY REPORT. - Include a clear description of the issue, the affected endpoint or component, and reproduction steps.
- Attach proof-of-concept material (screenshots, request captures, minimal exploit code) where possible.
- Tell us your preferred credit name, or request anonymity.
- Do not publicly disclose the issue until we have confirmed a fix and agreed on a disclosure timeline.
For sensitive reports, you may encrypt your message with our PGP key. A
public key is available on request from
security@backbuild.ai and will be
published at /.well-known/pgp-key.txt in a future update.
-----BEGIN PGP PUBLIC KEY BLOCK-----
[Placeholder — contact the security team for the current key]
-----END PGP PUBLIC KEY BLOCK-----What you can expect from us
| Milestone | Target |
|---|---|
| Acknowledge receipt | Within 1 business day |
| Triage and severity assignment | Within 3 business days |
| Remediation plan communicated | Within 7 business days |
| Critical severity fix deployed | Within 7 days of confirmation |
| High severity fix deployed | Within 30 days of confirmation |
| Medium severity fix deployed | Within 90 days of confirmation |
| Public disclosure (coordinated) | After fix is deployed and validated |
Safe harbor
Backbuild will not pursue or support legal action against security researchers who:
- Make a good-faith effort to comply with this policy
- Only access, modify, or destroy data belonging to accounts they own or are authorized to test
- Stop testing and notify us immediately upon encountering third-party data or personally identifiable information
- Do not exploit a vulnerability beyond what is necessary to confirm its existence
- Do not publicly disclose the issue before we have completed remediation
- Do not violate applicable laws in the course of their research
We consider research conducted under this policy to be authorized access under the U.S. Computer Fraud and Abuse Act and similar laws. If legal action is initiated by a third party against you for activity that complies with this policy, we will make this authorization known.
Recognition
We maintain a hall of fame for researchers who have reported valid vulnerabilities. If you would like to be listed, include your preferred display name in your report. Backbuild does not currently operate a paid bug bounty program, but we are evaluating one for a future launch.
Report a vulnerability
Email: security@backbuild.ai
Subject: VULNERABILITY REPORT
PGP: Available on request