Cascading green code on a dark screen

Home / Vulnerability Disclosure

Found a security issue? Tell us.

We are a security firm. Holding ourselves to the same standard we sell means welcoming reports and treating researchers well.

Our commitment

Report in good faith and we will not pursue you. That is the deal.

This policy explains how to report a security vulnerability in Blue Shift Technology's website or services, and what you can expect from us in return. It is written for security researchers and for anyone who notices something wrong.

How to report

Email info@bstedge.com with “SECURITY” in the subject line. Machine-readable contact details are published at /.well-known/security.txt. Please include enough detail for us to reproduce the issue: the affected URL or asset, a description, and steps or a proof of concept. If you need to send sensitive detail, say so and we will arrange an encrypted channel.

Scope

In scope: bstedge.com and infrastructure we operate directly. Out of scope: third-party services we use but do not control (for example our hosting provider or form relay), findings that require a compromised device or physical access, social-engineering of our staff, and volumetric denial-of-service testing. When in doubt, ask before testing.

Safe harbor

If you make a good-faith effort to comply with this policy, we will consider your research authorized, we will not pursue or support legal action against you for it, and we will work with you to understand and resolve the issue quickly. Good faith means: you avoid privacy violations, data destruction, and service disruption; you access only the minimum needed to demonstrate the issue; and you do not exploit it beyond proof of concept.

Please do

  • Give us reasonable time to fix an issue before disclosing it publicly
  • Stop and report as soon as you find you can access data that is not yours
  • Keep the details of any vulnerability confidential until we confirm it is resolved

Please do not

  • Access, modify or delete data that is not your own
  • Degrade or interrupt our services, or those of our providers
  • Attempt to social-engineer, phish or physically access our staff or premises
  • Publicly disclose before we have had a fair chance to remediate

What to expect from us

We aim to acknowledge a report within a few business days, keep you updated as we investigate, and let you know when the issue is resolved. We do not currently run a paid bug-bounty program, but we are glad to credit researchers who report valid issues, if you would like the recognition.

Testing our clients

This policy covers our own assets only. It does not authorize testing of any client system. Never test a system because you saw it associated with us — that requires the owner's written permission, always.