Vulnerability Disclosure Policy

Introduction

Blazemark takes the security of our platform and our customers' data seriously. We appreciate the work of security researchers who help us maintain a high security standard. This Vulnerability Disclosure Policy (VDP) explains how to report security vulnerabilities to us and what you can expect from us in return.

Blazemark operates a coordinated disclosure model: we ask that you do not publicly disclose a vulnerability before a fix has been shipped. We request a reasonable opportunity to investigate and remediate before any disclosure is made.

Scope

The following assets are in scope for this policy:

• blazemark.org — the main web application and all authenticated features
• API endpoints — all REST API endpoints served under blazemark.org
• Subdomains — any subdomain of blazemark.org (e.g., app.blazemark.org)

Out of Scope

The following are explicitly out of scope and should not be tested:

• Physical security attacks against Blazemark infrastructure or personnel
• Social engineering attacks against Blazemark employees or customers
• Denial-of-service (DoS/DDoS) attacks
• Spam or email flooding
• Attacks against third-party services or infrastructure not operated by Blazemark (e.g., our cloud providers, CDN, or sub-processors)
• Vulnerabilities in software or services that Blazemark does not control
• Issues already known to us or previously reported

Coordinated Disclosure

We ask that you follow responsible disclosure practices:

• Do not publicly disclose a vulnerability before a fix has been shipped — we ask for a reasonable opportunity to investigate and remediate first
• Do not exploit vulnerabilities beyond what is necessary to confirm they exist
• Do not access, modify, or delete data that does not belong to you
• Do not disrupt the availability of the service
• Do not use automated scanners in a way that impacts performance for other users

We commit to not pursuing legal action against researchers who discover and report vulnerabilities in good faith, in accordance with this policy.

Safe Harbour

Blazemark will not initiate legal action against security researchers who:

• Make a good faith effort to avoid harm to Blazemark, our customers, and the public
• Report vulnerabilities promptly and do not exploit them beyond what is necessary to demonstrate the issue
• Do not violate the privacy of Blazemark users or customers
• Comply with the terms of this policy

We consider vulnerability research conducted consistent with this policy to constitute "authorized" access under applicable computer security laws. We will not bring a claim against you related to such research.

How to Report

To report a vulnerability, please send an email to:

In the future, we may also accept reports via HackerOne. Check this page for updates on our HackerOne program once it is available.

Please include the following information in your report:

• A clear description of the vulnerability and the potential impact
• Step-by-step reproduction steps (including any relevant URLs, parameters, or payloads)
• An impact assessment — who could be affected and how
• The type of vulnerability (e.g., XSS, SQL injection, IDOR, authentication bypass)
• Any supporting screenshots, videos, or proof-of-concept code
• Your name or handle (if you wish to be credited)

Please do not send vulnerability reports to our general support channel — use the security email address above.

Response Timeline

We aim to respond to all valid vulnerability reports within the following timeframes:

No Bug Bounty

Blazemark does not currently operate a paid bug bounty programme. We are a coordinated disclosure programme only. We appreciate your contribution to improving our security and, where appropriate, we will credit researchers in our public acknowledgements.

Contact

For security-related enquiries, please contact: security@blazemark.org

For all other enquiries, visit blazemark.org or contact our support team.