Skip to main content

Security Policy

Last updated: 2026-05-22

The security of our software and our infrastructure is something we work on every day. We welcome reports from security researchers and members of the public who find a potential vulnerability, and we are committed to working with you to verify, address, and disclose it responsibly.

This policy explains what is in scope, how to report an issue, and what you can expect from us in return.

Scope

This policy covers:

  • https://bifrostsec.com and its subdomains, and the infrastructure that serves them.
  • The bifrost security platform, our runtime application security product.

The following are out of scope:

  • Third-party services and platforms we use but do not operate.
  • Social engineering of bifrost staff, customers, or partners.
  • Physical attacks against offices, hardware, or personnel.
  • Denial-of-service attacks, and any testing that degrades or interrupts our services.
  • Automated scanning that produces volume without a demonstrated, specific vulnerability.

How to report

Email security@bifrostsec.com with as much detail as you can, ideally:

  • The affected asset, URL, or component.
  • Clear steps to reproduce the issue.
  • A description of the impact, and any proof-of-concept material.

If you are unsure whether something qualifies, report it anyway and we will take a look.

What to expect

When you send us a report in good faith:

  • We will acknowledge that we have received it.
  • We will keep you informed as we investigate and work on a fix.
  • We will credit you for the discovery once the issue is resolved, if you would like to be named.

We handle every report promptly, though we do not commit to fixed timeframes. Complex issues take longer than simple ones, and we would rather give you an honest picture than an arbitrary deadline.

Guidelines for researchers

When testing, please act in good faith:

  • Do not degrade, interrupt, or harm our services or their availability.
  • Do not access, modify, or delete data that does not belong to you. If you encounter someone else’s data, stop and tell us.
  • Do not run denial-of-service tests or social-engineering attempts.
  • Give us a reasonable opportunity to remediate an issue before disclosing it publicly, and coordinate disclosure timing with us.
  • Stay within the law, and only interact with accounts and systems you own or have explicit permission to test.

Recognition

We are grateful to everyone who takes the time to report a vulnerability responsibly. With your permission, we are happy to acknowledge your contribution once the issue has been resolved.