Vulnerability disclosure policy.
BeccaSecure Consulting Inc. welcomes responsible reports of suspected security vulnerabilities affecting this website or public BeccaSecure owned web assets. This policy explains how to report issues safely and what conduct is expected during testing.
Scope
This policy applies to publicly accessible BeccaSecure Consulting Inc. web assets operated under the beccasecure.ca domain.
This policy does not authorize testing against third party services, client environments, cloud provider platforms, email providers, identity providers, payment providers, social media platforms or other systems not owned or operated by BeccaSecure Consulting Inc.
Reports we are interested in
- Authentication or authorization weaknesses affecting BeccaSecure owned systems.
- Exposure of non public data belonging to BeccaSecure Consulting Inc.
- Cross site scripting, injection, broken access control or misconfiguration that creates a real security impact.
- Security header, transport security or content security issues that create practical exploitation risk.
Out of scope activity
- Denial of service, stress testing, resource exhaustion or traffic flooding.
- Social engineering, phishing, physical attacks or attempts to access employee, client or partner accounts.
- Automated high volume scanning that could degrade availability or create operational noise.
- Testing that accesses, modifies, deletes or exfiltrates data beyond what is necessary to demonstrate impact.
- Public disclosure before BeccaSecure has had a reasonable opportunity to investigate and respond.
How to report
Send reports using the contact channel published in the security.txt file:
If the report includes sensitive technical details, you may encrypt it using the BeccaSecure public OpenPGP key published at /.well-known/security-pgp.txt.
Please include a clear description of the issue, affected URL, reproduction steps, observed impact, supporting screenshots or proof of concept details and any suggested remediation. Do not include unrelated personal information, client information, credentials, sensitive data dumps or destructive proof of exploitation.
Good faith testing
BeccaSecure will not pursue action against researchers who make a good faith effort to follow this policy, avoid privacy violations, avoid service disruption, avoid data destruction and report findings promptly.
If sensitive data is encountered, stop testing immediately, do not retain or share the data and include only the minimum information needed for BeccaSecure to verify the issue.
Response expectations
BeccaSecure will review credible reports and prioritize remediation based on severity, exploitability, affected assets and business risk. Submission of a report does not create an employment, vendor, bounty or payment relationship.
BeccaSecure does not operate a public bug bounty program at this time and does not guarantee compensation, rewards or public acknowledgment.