Vulnerability Disclosure Policy

Draft only. Requires legal review before publication. This software provides compliance tooling, but does not provide legal advice.

Vulnerability Disclosure Policy

Purpose

Give security researchers a channel and boundaries for reporting vulnerabilities.

Source model

This slot follows mature SaaS and security-software legal-center patterns: Zapier-style customer terms, DPA, subprocessors, security, and data-transfer material; Avast-style license, acceptable-use, privacy, IP, transparency, and accessibility material.

Jurisdiction focus

Prepare this for EU users and Czech-market operation. Complete operator details, Czech consumer wording, cookie consent behavior, GDPR roles, and cross-border transfer safeguards before publication.

Reporting channel

Provide a security email or form and include what information helps triage: affected URL, steps to reproduce, impact, evidence, and contact details.

Safe testing

Permit good-faith testing that avoids privacy violations, destructive actions, spam, social engineering, physical attacks, persistence, or data exfiltration.

Out-of-scope

List denial-of-service, automated high-volume scanning, user enumeration without impact, clickjacking without sensitive action, and reports on third-party systems not controlled by BAAM AI as examples.

Response

Describe acknowledgement, triage, remediation, credit, and disclosure coordination expectations.

No bounty unless stated

State whether BAAM AI operates a paid bug bounty. If not, say reports are voluntary.

Completion checklist

• Create the security contact before publishing.
• Align with SECURITY.md.
• Define internal triage owner.