Security contact

If you need to report a security issue

Jordi Giménez avatar
Written by Jordi Giménez
Updated over a week ago

To contact our security team you can use the address: support AT bugfender DOT com

Our security e-mail address can receive PGP encrypted e-mails with the following key:

-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBFc8oskBEACxyMXWj8KQCYsFNwH7ox7hdIVCm1RwtTi+DiI1ADOWZuFRg5aK
QgHnbnVEaXT0ofis9f7H45AwnJUqCPKoPct4L/1mqTMubdAV+Ko2fMTtfIHwNffa
o4QCKseRNDXIXFX7f+Jq42nwd0eT9r7nM+CNcqyG4HsCDKfW8fZazHqPXK67sgkf
8/d0jXR9pOWgbjHcwRxeuTVqcuJIlrgWNvV/dpizWWtV3FCItvEXW01YzwutE72M
uT6ONHAGjMDcWy7W+jZ/k3sI2iZH3UiDQ8lWV/6Apz6hd4sQiVuw3yv19njQ5edm
ESEmV+aTq82dQieXTN/AbILJak6TNoWYvvgg4nEO9/PpavAYnvVIhSH1cTeRDYw/
G9v95dciol3rae4fsj1tQKBsCXTeS/ssgswInU+7V9SuVGPuiBcMaTXZniSVbLwh
L3PrBwysIo6Ad3ZUdddb8VFaLc4tQNOoewzuycrcQrOGQN4QFdJ8EMgP+aMf5dBZ
SSd10cpaUDk8HCdDAMh0bY3PxC80tbWiFDCeVwxaG/5oGds7aeLJQrjlUFt41qeU
E9lLevfy4yKi7X5MV9x3ywrzusmwA8tmMo6XmjmvUrZJckB3jIhQfyLgoyd/gnWN
Icl9iAPAIxzCac9Fg3Yv8aww4Vp83Wxz1n8Y1KN+oRpoiZMQNb9Jr4nsbQARAQAB
tCZCdWdmZW5kZXIgdGVhbSA8c3VwcG9ydEBidWdmZW5kZXIuY29tPokCUAQTAQgA
OgIbAwcLCQgHAwIBBhUIAgkKCwQWAgMBAh4BAheAFiEEpfYU5QmL1t+Gs/S8HtWJ
KJPPyS0FAl/OSw4ACgkQHtWJKJPPyS1PRBAAnlVX+POpszb+paV5gAlv1+nEjyQc
qgJz0wpITxdtOAHJwZOJFkt7GMmif2I34In33UDSFKp20q4ZIDjUrEBFzqabpDJT
p69u/sfiytvmqHk+oNixnLnh9DMx2vGP48xWeaI0jvyFiOeSM+ZTJkKn2g6JvvIL
HAsR0gRwiIXxskBpsHpq7xI0ItQFkGEKZHRqCvfUTeA41s+qAxMmaUnzgcwj9E9E
9q1AVesQfKvTmku5gUkRcpljlsNvzvx3q80ZNhTcQgFmJDP3hGy4Ii2LR0QyfvgM
NmtTJZ7Zz7RdqVgDB5SbuzARPcJo6riHg5C+EvOOm4x00qFDD4HSTwkMLt+BQ34x
3j26NVlJA8Si6m3IZiAVpN3EaPzCy4M5zMYuidpYO/L+ejpkZ8HeP6iF7H61YVTL
YeqoQnrnG6Bt0msJy+MT4uFn+gcNPOz3ruNiZYmd3/GN9CxH2j7UftiWhJtk+FCw
nrlOzYpI67aFHOsp9xtq7OLIFnvEjeXC7ktFHvGgaeesj1KImc7+XPQ5fb0r5V4q
3F6flQBavcovjQJgkptTuU5bBBPqgEiWRbEYvp0NqW52Pu0v6q0EWOla+iNxIquW
xgYRBix/1MAfx2Pl7/8s3h23a6hAfca05On5be/2yAui/OU4+tjgtGE01H6jsb0y
fvZM+UtN2NjhL3mITAQTEQIADAUCV0WsUwWDB4YfgAAKCRCtI5FGBtPFtgTZAKC4
Rtl/Mntajv7QTWQtQBjzcGJgsACg5jxMUxgcHVb6e2DeoYJjLuh7qmC5Ag0EVzyi
yQEQALu37ANOVx3qMKyxlKIl5BAOWR0HHUZwHEZSc4zm8KDk02ak8BrloGnvlQ8r
MVR5ZGc3EP5FopBN9Oh7fORQ8LLgZ7WmX5F0T52eWy0CVzV/oX8Wc8c976BV+ADv
XOxyCNTb8nXeTX4pqk+DLllQNYQtq2YY9cEVDM0id3BUcj3WiIUXGcgmBvmePpvm
d9c/bQWwZaMrmYYvyju1T1/hhFHc3v6S9YsPt6FslSg2Mi5Xww0VHdNEC4A1k9JC
AmkVlwrtz2+nnIBCYo+fvGZOo/5+JTPRpWM2YjkRgawefoxuVUZTDKeVFMDRHVnm
v8xTjnrK8n1NwE6Izaws16hSlnr1YfcBqOjir7ayQ9LZgO7VmLp5jsVtqd3/b5FB
thlIxTPSo+V0tTQZCheTWYpNc7tTuV+TcwcSLW3Dp61OR7m05B8OdED0/wYdtMpv
2v1us6zlGuXg7oVucsuCYS5MUbn5WTaT+H+mk6UcAYIb8a9WvUBUQq7XB0keIfrr
wgB/fLKf0W3pKbiUgLTboGIc2HxQfcM84mvUfrdKV3+DQTadvCodWyj3dZX7lncx
vamN25aZDE8/ySy67lw1Ag/luaCtXDF/AVMxmbGiHqIJDB4kvEHDp3IZEOpkTmDw
lCGLz8NnSi1yUbD9lzBtBWWXABJjQuD+SbhFYPhHb6IFvVZlABEBAAGJAiUEGAEI
AA8FAlc8oskCGwwFCQeGH4AACgkQHtWJKJPPyS1VyhAAkHJkB6ZFpk0bFf4Lw//e
SM81m8+v/TkKqjqttAZ3/iC2GytQtc2eO3PbTpz9jigIcd8XyIYhQcuopbKQHH/a
hbFGwMAy2quEYYAsebDqqVHipiwjZSknlzm5d98tSj5ITVMFwjxW74K24BigYflU
nBL/3Fzdemh7e0rMHyLib1HS0m5EZqvU+9bYZmjHCavuoEHhdYv/Inu/Qo7YBjw5
LtIhgoPRNS6KHp9qFJx81awapf3wkyfqz96Gn4loqNK290a6EavHaF3v7RWAWnzk
YAkieNVhaph46363QVCwHAs5FkjY3l+KSPgjHtLkkSxhT7nyKhoIRunKqDpTCiZM
l0T5i1aoor1U9mRvEnKxUMzO8wSg90p8Brz7mKSbOrlBGnEtqIHlU/kE9CAFymm/
WpSSiH4NXCrxk6NfB2ruL5jP3WG6w+G5Q80LBmv8CifK8pLVKSYxaQLZvPBtD6Y/
SbvaEXnzpf3SdbVJD11F6D9V5HhlxwKXykHHgZ8R0mT6dhc6Y6utf7AZKxxijwWK
9hld4U3JS6hWacAFdC9XmIEjuael+Ef2vqCF87xwXj4V1oZlq6V/izxk32AFYZag
IU60Y0/79qt1iad09HHPNQ1Z9IyTFLqu6bd7y4Ke3pjjxAbOj+66qEz5mzG+qD0M
CKbItOJst0pgfMcUwYPhQKG5Ag0EX85J2QEQAKgRTeh4ZFn5Sm8I09BBv/F6MM4l
3p09qorRnWqcWPuJ2ZZowKoIKo6PAJNfmqMSfVCzdYu/jAXg0Tf2zELPlfnFaen6
faTA2OVoaMFLQvhvyI7JKestXK5i/2JexyWWu2GQkP3Jld6hHFoXzZ/J8tW+ZSRa
jJGsKPiz7Qt213RyHY/3IkMQ+E65GzhuDeMT5YFD85ykqbB0qdXfIzQWNryx09wK
uuHp1GoCkYE/+hv8fICGPRyWW3DvEWBMYWlfrNoCJi4aocV5W4uNXz+KJpEk/jgF
3SvKqNAt3uA3ZLBapQjmJuYyBBcpNKUEbR1EHEg2L8mtp0ZnlbsMdZVHYbD0DjE2
rXhiwhbRcY1q33jIDIAF/JlNBqUDM9h++40DjaRYu3t97Xftgnv5Dw/mvGnMqeKf
di8jTvDs3afOwr6agzZXKYcnvGKqt2o5DyCbwa+sJZhuCN2vuYEbEv39+Eo3o8Pa
1aoySZ1PdCyMoRuYRtc59scLcq2sDH4Cfkv73Ucb5NtGmsIdmnYN+LueLm77dFyS
DANZ1ZGLl3zikiGA+MGpojwS3R98EkU8HjWUH047MRu1vligNLYVkMnpYoay0S31
wLo16krrasR9EkEs7peeUjJQ3OOgYFslLnY8aI/iRxpJ8mytHWHNH4A3UDbLk52i
rtk2HLKhKSsdp1sbABEBAAGJAjwEGAEIACYWIQSl9hTlCYvW34az9Lwe1Ykok8/J
LQUCX85J2QIbDAUJB4YfagAKCRAe1Ykok8/JLTiLD/9990zuDBQwvRTG8wVL5Vl1
PCZ2X5ZUmob33wm4H1BdSzbv9yJQjMBv3PDseVp+9LGaLTkXuLYK0wDCrIB7TgeF
53Dyb4Mc2JuIo3hYuUXZHq4xOgPQcrpEgOqGO4sbrOuvKe/XgUwIUAZe+mtX2rok
Wg+dGxg7TU8qP1KTx5OAWpk651+xtGrzwrYxd1Nygubs+4Sdj1h7aic74rgdPxYz
iKEu6+ce/hZ/UMXRwy8KzOZHg0Hu8yPsafB1FfoS7lCjrbKNSm7cH4JxqeKCozEM
LRMPmykZwMuwZiLwrn+cvUHRHul1WK/F9msFvIurdZf4df0hdji5QppVYx0k7nNQ
b0AVafe8sSi5ultFXnXUyCMqVta8WOHV+8cEIpZS0IxcPG/ZBXaMsWz1jjcWQX5O
fScln26/YMPnj1Zx3by4/4Tt3AgrZ6f0vgPAjk7SmZ7b/p04zrxXnDIXoLU+demU
z09RibfVQQpkLz3kRANfKS8MGzC6sWt+492ELxukjjzHblvPpQUfwE/q05rlSR0N
FPU1SqV+witHK1998naEwELi64KGetteW+lOqIagYKujBJ+7V4TdkylIJSEQuxXu
0v8U0fOh4YmaiwteizW54jrKuhH286ZFAXRfkadBB2kuGP8210WXWLLGyVvziCGS
HTNjI2NWSS6ULyXA8wGNkLkCDQRfzkosARAAylW7ds9AgGkJT0+MAWRIgLYuN0zd
Q1G/ufXCuWl3b+6SIsSA6CPXSVU1CaqXSxKs9lsavbQN2Gevzh+AekCSp/GIdEuv
A0FBcDA8pzoTw+f5x1xtmrv2yyPXWtpUJcJ7GmTV+9J+UKYXPIZzphrs+K9c1YxM
QI+kEbGN1/MWKvRie25/VV0q2WeaDlBOFY+myyyWiC1rTTm/vuXBJgANffXv2hTg
+aHUBHJExgKmPNuWLgCPTeklwRI/Zaqn4G/wFprGGQLEbKG6AV6lmvn+5LjHA5u6
9PXc0BBhY0dvPiJBloaaLtcmtpZxSeDq8ydXEuZm/X1xICLi828XwPgJWmg/TeKJ
WKXpBfjqz5qbqwWZfF90VwTAKUn+n9UZZvYQw9ndHRH2SxJM/0F0FhgjBIOVNkm5
RA7TlMn0NakXuLJPZnrUvQPbNOEjSsFq2uku0rIB2jDiLHHL57q5m909FjVLHFfG
FPnvgPTTiU8HriRUE8eRhNxN2zB130synqePxnqjrTviX95CR2dgL1yBKOOxwM80
tmyM7RC0K7vO5nGh11MPcu7hwm+UiK423AktrK9IjgXL2chMef9kUyX6CFVlrQ2/
lylSWRMhKuN2CQvJl/orBdNh+iZ0HzyQfY+88A2ryC5HPk10sTg1NCoZ5UFHIoNE
JhOFmM2tGzUDozcAEQEAAYkEcgQYAQgAJhYhBKX2FOUJi9bfhrP0vB7ViSiTz8kt
BQJfzkosAhsCBQkHhh96AkAJEB7ViSiTz8ktwXQgBBkBCAAdFiEEzqY3o4x8ryAK
ZKGHqkSFq6eo6YIFAl/OSiwACgkQqkSFq6eo6YJUZBAAjhz3pybipZQCAaY712L6
/wIMDtoQRrOaCu7H6zS9nLu1b+EXqt7lDLWGAIFuUth9+Ov5oFzdeOYE2MLawuao
HpHTwgUXuju6pQ+3zoerON9iTOH7e2RSz/gim2B3pOJcCU+KukRoh2CWp+ufh6FO
FLDIQ3CNwvdgmVUisQhDqeDSEHUeq0O5+lj+NbiX1/DVLE4iJIy21/nAawP616Nl
mDauWqiG67It6GaGERkx+gHrqfzIC9rHi7Yl+7fTMbN0EQtJsD4C3oEQJm8/Nh3T
G4I3oqrEJVR1c0V+hKVLyEOS3nclSCQrcn1yltaYKBk3/EQT7UpeMlYsnuOwKZRF
WXlOrKtiZraFceIFv3+jzZZ45PiOvDyPlWM/LxJYQACTB7xnIvhDeSsEAH7AEA8i
djPZC586PPtD1IqEgT5TRzeKBoAooEAKqso98z2G6YEYPV7baeZQj003P3kg4/v6
+1j4i7POhOQrwakM0Ff/8SVgoPS5+EW1tkdxqAXyg39M61Jhr5vNZakn5NX/w8Fj
fhNprYAdzhCh6HGE587AduHGl1u+OlegMs4Fgt4uIZ2X9aMl20iAIIWemCxQzy3E
LC0+k1wu0Iz67v1XnnAL1R756sT/kX9+p9EmljCz4TFdlCA/7z79nk/6gK4oeKXa
S1rDbZ5WrG86zh8Ijs3HHZ+d4g//aE47OsyJs5LT41eAkp1VKA9G/9jdRTovHlfD
v65TYFbYKf+kDr+uAdT2Zo7PHa1K06zBn2BzYF4zIIoLMCgxSGCwLcM4AgVd2Qj7
WgrYhnAiBXzrdY9fHcwhz8rVa6vu8ssLe6U+tc4DJoT6XWlzW8qrIIe3IUTtl6tZ
qppt3NB/JG/v6/p7zppiKFvnPCbqFqOWUEE/e3tiJtPnpTpVAMWe/B1OnA96rEJT
83JfNz5unUz/wJia46toQpf43dydur3WHcZp4hhh5LXl0w4xM5X1jUXCH/fwm1la
zcQdLDSnjDHObj3OmKV5bW3U6UGDdOGAURFmEoDpbmeWx2epuNLpqmWaW1gO+Gd6
Npc87G7qBgSBgzmXp3RjzLC5av5QEeBrDcCdX1mseq6uN34IM2ekovKb8zmpDWWM
GhFmMu9+LcEhKn9M1pSslb1KW2ecvoiCKRNPw4oV2C/HHk58zGegVAPnW3Hk1lMJ
8pBnPVbhF3UFrvApZAdHUWz+BOEcX+KRxHqw9LeHSZGZexgjtThC7N4AsZbrq0Bb
fba41/47K7tfGs8uO6/WENR50o61lWteu9UoSSPSOnKD5UfZ/WZUUjQS8cgRPTNl
3LAFPF8PhpP9oq5k2gli0bhXyg7CLmTVU2Jd9kQCH2D14kybjmSBliu38BfIIiTK
dXLaX9s=
=jjD5
-----END PGP PUBLIC KEY BLOCK-----


Responsible Disclosure Program and Bug Bounty

At Bugfender, we consider the security of our systems a top priority, but no matter how much effort we put into system security, there can still be vulnerabilities present.

If you discover a vulnerability, we would like to know about it so we can take steps to address it as quickly as possible. We would like to ask you to help us better protect our clients and our systems.

Please do the following:

  • Contact us with your findings. Encrypt them using our PGP key above, to prevent this critical information from falling into the wrong hands,

  • Do not take advantage of the vulnerability or problem you have discovered, for example by downloading more data than necessary to demonstrate the vulnerability or deleting or modifying other people's data,

  • Do not reveal the problem to others until it has been resolved,

  • Do not use attacks on physical security, social engineering, distributed denial of service, spam or applications of third parties, and

  • Do provide sufficient information to reproduce the problem, so we will be able to resolve it as quickly as possible. Usually, the IP address or the URL of the affected system and a description of the vulnerability will be sufficient, but complex vulnerabilities may require further explanation.

What we promise:

  • We will respond to your report within 5 business days with our evaluation of the report and an expected resolution date,

  • If you have followed the instructions above, we will not take any legal action against you in regard to the report,

  • We will handle your report with strict confidentiality, and not pass on your personal details to third parties without your permission,

  • We will keep you informed of the progress towards resolving the problem,

  • In the public information concerning the problem reported, we will give your name as the discoverer of the problem (unless you desire otherwise), and

  • As a token of our gratitude for your assistance, we offer a reward for every significant report of a security problem that was not yet known to us. The amount of the reward will be determined based on the severity of the leak and the quality of the report. The maximum reward will be €1,000 for critical vulnerabilities. The value of the reward will be determined at our sole discretion.

Exclusions:

  • Previously known vulnerabilities will not be awarded

  • DOS attacks are not permitted and will not be awarded

  • Automated reports will not be accepted, we already run automated tools 

  • Theoretical vulnerabilities without demonstrated impact on customers will not be awarded

  • Not following best practices is not a vulnerability, please do not report that

  • If you detect we're using a third-party software (for example a CMS) and that software has a vulnerability, please open a bug report with the security team on that product

  • Bargaining over the reward we deemed appropriate will exclude you from the program

  • Repeated lack of observation of these rules will result in blocking your email address and exclude you from the program

We strive to resolve all problems as quickly as possible, and we would like to play an active role in the ultimate publication on the problem after it is resolved.

Credit for these rules: https://responsibledisclosure.nl/en/

Did this answer your question?