Vulnerability Disclosure Policy

About the Program

Bron Foundation welcomes responsible security researchers who help us protect our users and their assets. Our Bug Bounty program is aimed at identifying and eliminating vulnerabilities in our products and services.

This document constitutes the Bron Foundation Responsible Vulnerability Disclosure Policy (hereinafter — VDP). It defines the principles, scope, and conditions for responsible reporting of security vulnerabilities within Bron products and services.

Reward assessment and payout conditions are described on the Rewards page.
Report formatting and submission requirements are provided on the Vulnerability Report page.

The following sections describe the testing scope permitted within the program, exclusions, testing rules, report submission process, handling timelines, embargo terms, and legal framework for participation.

Program Authorisation & Research Guarantees

Authorization / Explicit Consent / Safe Harbour

Bron authorises good-faith security research on the systems listed in this Policy. Actions performed in accordance with the Policy will not result in civil or criminal claims by Bron. This authorisation does not extend to third-party systems.

Scope & Third-Party Exposure

Testing is limited to assets owned and operated by Bron and its subsidiaries. Third-party services, vendors, and integrated platforms are out of scope unless expressly designated in writing.

Data Protection

Researchers must avoid accessing personal data. If such data is encountered, testing must cease immediately, the data must be deleted securely, and Bron must be notified without delay.

Intellectual Property

By submitting a report, the researcher grants Bron a non-exclusive, royalty-free, perpetual licence to use, reproduce, and modify submission materials for remediation and disclosure purposes. The researcher retains ownership of their submission.

Liability & Indemnity

The Program is provided "as is". Participation is voluntary and at the researcher's own risk. Bron's total liability under this Program is limited to the bounty amount paid.

Age & Capacity

Participants must be at least 18 years old or of legal age in their jurisdiction.

Regulatory Disclosure

Bron may disclose vulnerability information to competent regulators or law-enforcement authorities when legally required, notifying the researcher unless prohibited by law.

Governing Law & Jurisdiction

This Policy and all disputes arising from it are governed by the laws of England and Wales, subject to the exclusive jurisdiction of the courts of England and Wales.

Testing Scope (In Scope)

Within the program, testing of the following infrastructure components is permitted:

• Web Applications and APIs: *.bron.org, *.bron.xyz (including all subdomains and API endpoints)
• Mobile Applications: Android / iOS (NOT ACTIVE — program launching soon)
• Desktop Applications: Windows / macOS
• Smart Contracts: deployed on Ethereum Mainnet, Optimism, and their testnets (Sepolia, Holesky)
• MPC Cryptography Library: bron-crypto — Open source MPC (Multi-Party Computation) cryptography library for threshold signature schemes. See the Security Policy for scope details and the MPC Library Rewards page for reward information.

Program Exclusions (Out of Scope)

The following types of testing and vulnerabilities are not covered by our Bug Bounty program:

Prohibited Testing Methods

• Physical access to our offices or servers
• Social engineering or phishing of employees or customers
• DoS/load testing without prior coordination
• DDoS attacks — Distributed denial-of-service attacks are not accepted and will not be rewarded
• Theoretical findings without a working or reproducible PoC

Low-Risk Vulnerabilities (Low/Info risk vulnerabilities)

The following types of vulnerabilities are not considered significant for our program:

• Public or non-sensitive API keys (e.g. Google Maps)
• Account or email enumeration via brute-force
• Weak password or rate-limiting policies without proven account compromise
• Low-impact session issues (concurrent sessions, session not invalidated after password change or 2FA enablement, missing idle/absolute session timeout, logout not clearing all sessions, session token rotation without demonstrated account takeover)
• Clickjacking / UI redressing
• File upload bypasses without evidence the file was received or executed
• Browser autocomplete / saved credentials
• Verbose error messages without sensitive data exposure
• Directory listing or structure enumeration without critical data
• Missing or incomplete SPF / DKIM / DMARC records, DNS infrastructure findings (DNSSEC misconfigurations, missing CAA records, DNS zone configuration) without demonstrated security impact
• SSL/TLS configuration findings (mixed content, weak ciphers, POODLE, Heartbleed) without working PoC
• Missing cookie flags (Secure, HttpOnly), CORS misconfigurations without demonstrated cross-origin data exfiltration, Content-Security-Policy issues, and other generic HTTP security header findings without a working exploit
• Reflected file download (RFD) without exploitation
• Open redirect / URL redirection without escalation
• Low-impact CSRF (e.g. toggling non-critical UI preferences, changing display settings)
• Low-impact XSS (requires self-execution or unrealistic user action)
• Information disclosure of non-sensitive data (software versions, PHP info, server-status)
• Use of outdated libraries leading only to low-impact issues
• Findings affecting outdated browsers, plugins or platforms
• Self-XSS or text-only injection without HTML/JS execution
• CSV injection, SSH/WordPress username enumeration, IIS tilde disclosure, Snoop info disclosure
• Vulnerabilities that require MITM position to exploit (unless sensitive data is exposed)
• Best-practice recommendations not directly affecting security posture (e.g., missing Subresource Integrity attributes, absence of security-related logging or notifications, configuration hardening suggestions). A qualifying vulnerability must demonstrate exploitable impact — improvement recommendations alone are not eligible

Zero-day Vulnerabilities in Third-Party Software

Bron accepts third-party zero-day reports discovered incidentally while testing Bron systems. Independent testing of third-party products without consent remains prohibited.

Report Acceptance Conditions

• Mandatory vendor notification: Information about the vulnerability must be provided to the software developer. We reserve the right to forward the report to maintainers, publish it in a public tracker (e.g., GitHub Issues), or coordinate disclosure with the vendor.
• Coordinated disclosure: We do not accept private zero-day vulnerabilities with a requirement not to disclose them to the vendor or community.
• Reward assessment: The possibility and amount of Bug Bounty for such vulnerabilities is determined individually by our committee, taking into account the impact of the vulnerability on the security of Bron products.

Responsible Testing Rules

To ensure security and prevent false positives in our monitoring systems, follow these rules:

Mandatory Requirements

1. Test traffic identification: In HTTP requests during testing, add the header X-Bron-Bugbounty: <[email protected]>.
2. Use of test accounts: Only use test accounts when testing (if needed, email [email protected]).
3. Load testing coordination: Do not send load traffic without prior coordination. Such attacks require advance coordination with Bron via email for an authorized time period.

Ethical Principles

• Do not disrupt service availability (DoS only with prior approval)
• Do not access real user data (test accounts only)
• Use only the minimum necessary PoC to confirm the vulnerability. If testing may affect other users or system availability, contact us first for approval. Further exploitation or post-exploitation is strictly prohibited
• Automated scanning must be limited to 5 requests per second
• Maintain confidentiality of discovered vulnerabilities until they are fixed

Report Submission Process

Submit vulnerability reports to: [email protected]

For detailed requirements on report format and required information, please refer to our Vulnerability Report page.

Processing Timeline (SLA)

Embargo and Publication Policy

To ensure the security of our users and allow time for vulnerability remediation, the following policy applies:

Embargo Terms

• Standard term: up to 60 days after vulnerability confirmation
• Critical cases: up to 90 days by mutual agreement
• Publication of details: after fix or by mutual agreement
• No agreement: if no mutual agreement is reached within the embargo period, the researcher may publish responsibly after providing Bron 10 days' written notice.

Researcher Obligations

When an embargo period is established, the researcher agrees to:

• Not publish technical details of the vulnerability
• Not disclose information to third parties
• Not distribute PoC or related information
• Observe the period until receiving written permission from Bron Foundation

Legal Terms

By participating in the Bug Bounty program, you agree to the following terms:

Researcher Obligations

• Act in good faith and within the VDP rules
• Grant Bron the right to use and store PoC for the purpose of eliminating the vulnerability
• Confirm that you do not violate third-party rights
• Comply with cybersecurity laws of your country
• Follow all prohibited activities guidelines specific to each testing scope

Eligibility

Program researchers must be legally capable individuals aged 18 or older (or of legal age in their jurisdiction) who are not and have not been (within the past year) employees, contractors, or affiliates of Bron Foundation, its subsidiaries, or organizations contracted for development and support of information systems.

KYC Requirements

For rewards exceeding $10,000 USD, KYC verification is required before payout processing:

• Valid government-issued ID (passport, driver's license, or national ID card)
• Proof of address (utility bill or bank statement dated within last 3 months, redacted except name and address)
• OFAC sanctions screening (rewards cannot be paid to individuals or entities on international sanctions lists)
• Tax documentation (if applicable based on your jurisdiction)

The collection and processing of KYC information will be handled securely by Bron Foundation in accordance with applicable data protection regulations. All personal data will be stored encrypted and used solely for the purpose of reward payment processing and legal compliance.

Reward Distribution & NFT Entitlement

To receive any bounty reward, researchers must create a Bron wallet.

Bounty rewards are distributed in stablecoins to the researcher's Bron wallet address.

In addition to any monetary reward, researchers whose submissions are accepted as eligible for a bounty shall receive a non-transferable Bron NFT.

The NFT provides access to a complimentary Basic tier subscription for the 2026 calendar year. If the researcher already holds an active Basic tier subscription, the NFT will grant an upgrade to the next available tier, capped at Enterprise level.

The NFT is provided solely for utility purposes, has no monetary value, is not redeemable for cash or digital assets, and does not represent any ownership, investment, or financial interest in Bron or its products.

Bron Rights

• Refuse payment for duplicate vulnerabilities, out-of-scope vulnerabilities, or reports without PoC
• Determine the final assessment and reward amount
• Set embargo periods at their discretion within the framework of this policy