Skip to main content

Report a Security Vulnerability

Updated January 13, 2022

If you believe you have discovered a vulnerability in a BuildBuddy product please report it.

Responsible Disclosure Policy

Safety and data security is of utmost priority for the BuildBuddy community. If you are a security researcher and have discovered a security vulnerability in our code base, we appreciate your help in disclosing it to us in a responsible manner.

  1. Please contact us at security@buildbuddy.io to report any security vulnerabilities found in our community development server, any of the open source code bases maintained by BuildBuddy, or any of our commercial offerings.
  2. Please refrain from requesting compensation for reporting vulnerabilities.
  3. We will acknowledge receipt of your vulnerability report and send you regular updates about our progress.
  4. If your report is reproducible as an exploit and results in a change to the code base or documentation of a BuildBuddy product, we will–at your option–publicly acknowledge your responsible disclosure.
  5. After a fix is made, we ask security researchers to wait 30 days after a release before announcing the specific details of a vulnerability, and to provide BuildBuddy with a link to any such announcements. In releases containing security fixes, BuildBuddy announces an update is available, acknowledges the contributions of security researches, and it withholds specific details until 30 days after availability to give time for the community to apply updates.

You are not allowed to search for vulnerabilities on any instance of BuildBuddy hosted by the team, users, or customers with the exception of non-disruptive testing on the community development server mentioned above.

BuildBuddy is open source software, you can install a copy yourself and test against that. If you want to perform testing that might break things please contact us to arrange access to a private staging server, so you don’t disrupt other people’s work on the community development server.

See the BuildBuddy Security Updates page for a list of security updates by release.

Many thanks to the security researchers who have responsibly contributed their findings to make the BuildBuddy code base more secure.

Security Research Hall of Fame

  • Nessim Jerbi