Security Disclosure Policy

If you've discovered a security issue in any Build Bench Studio system, thank you for reporting it. This page tells you how.

How to report

Email [email protected] with:

• The subdomain or endpoint affected (e.g. humanizer.buildbench.ca)
• Steps to reproduce (proof-of-concept code is appreciated)
• Impact assessment in your own words
• Your name / handle for credit (optional)

Response timeline

• 72 hours: acknowledgment of receipt
• 7 days: triage and severity assessment
• 30 days: fix deployed for HIGH or CRITICAL, or written rationale for delay

In scope

• All *.buildbench.ca subdomains and the apex domain
• Cloudflare Workers source code (when published or accessible)
• Supabase REST endpoints exposed via the workers
• Email infrastructure under *@buildbench.ca

Out of scope

• Denial-of-service attacks against any infrastructure
• Social engineering of Build Bench operators or customers
• Physical attacks or attempts to gain physical access
• Issues in third party SaaS we depend on (Cloudflare, Stripe, Supabase, Apify, Resend). Report those to the respective vendor.
• Brute-force / credential stuffing without proven account compromise
• Issues requiring user interaction beyond a single click (e.g. self-XSS)

Safe harbor

We will not pursue legal action against researchers who:

• Act in good faith and follow this policy
• Do not exfiltrate user data beyond what's needed to demonstrate the issue
• Do not publicly disclose before we've had reasonable time to fix
• Do not degrade the experience of our customers (no DOS testing)

Bounties

We don't run a formal bug bounty program. For verified, previously unknown issues we may offer a small thank you payment at our discretion (typically $50 to $500 depending on severity), and we'll credit you publicly with your permission.