Responsible Disclosure

We value the security community. Report vulnerabilities responsibly and we'll work with you.

Scope

  • findthebreach.com and all subdomains
  • Find The Breach REST API
  • Find The Breach web application and portal

Third-party services, social media accounts, and physical infrastructure are out of scope.

Rules of Engagement

  • Do not access, modify, or delete data belonging to other users
  • Do not perform denial-of-service attacks
  • Do not use automated scanning tools at high volume without prior approval
  • Do not publicly disclose the vulnerability before we've had time to remediate
  • Make a good-faith effort to avoid disruption to our services

Reporting Process

  1. Email your findings to security@findthebreach.com
  2. Include a detailed description, steps to reproduce, and proof-of-concept
  3. We will acknowledge receipt within 48 hours
  4. We aim to triage within 5 business days
  5. We will keep you informed of remediation progress

Safe Harbor

If you conduct security research in accordance with this policy, we will consider your research authorized and will not pursue legal action. We will work with you to understand and resolve the issue quickly.

This commitment aligns with the U.S. Department of Justice policy regarding charging violations of the Computer Fraud and Abuse Act (revised May 2022), which recognizes that good-faith security research should not be prosecuted. We also support the principles outlined in the DOJ’s Framework for a Vulnerability Disclosure Program and ISO/IEC 29147:2018 (Vulnerability Disclosure).

DMCA Safe Harbor: We will not bring a Digital Millennium Copyright Act (17 U.S.C. § 1201) claim against researchers who circumvent technological measures solely for the purpose of identifying and reporting vulnerabilities in our platform in accordance with this policy. If a third party initiates legal action against a researcher for activities conducted in compliance with this policy, we will take steps to make it known that the researcher’s actions were authorized by FindTheBreach.

Rewards

We offer recognition and rewards based on severity:

Critical
$1,000 – $5,000
High
$500 – $2,500
Medium
$200 – $1,000
Low
$50 – $250

Actual reward amounts are determined based on impact severity, exploitation complexity, report quality, and whether the vulnerability was previously known. Qualifying reports that meet our Rules of Engagement will always receive at least the minimum amount for their severity tier.

Coordinated Disclosure Timeline

Find The Breach follows a coordinated vulnerability disclosure process aligned with ISO 29147 and CERT/CC guidelines:

  • Acknowledgment: Within 48 hours of receipt
  • Triage & Assessment: Within 5 business days — we assess severity, impact, and assign a tracking ID
  • Remediation Target: 30 days for Critical, 60 days for High, 90 days for Medium/Low
  • Status Updates: We will provide progress updates at least every 14 days until remediation is complete
  • Public Disclosure: We may publish anonymized details of resolved vulnerabilities 90 days after the initial report, or sooner if mutually agreed with the reporter
  • CVE Coordination: For qualifying vulnerabilities, we will coordinate CVE assignment through MITRE or an authorized CNA

We request that reporters refrain from publicly disclosing vulnerability details until the agreed disclosure date or until a fix has been deployed, whichever comes first.

🛡️ Vulnerability Data Ethics

Find The Breach adheres to the following ethical principles in handling vulnerability data discovered through our platform:

  • Customer Confidentiality: Vulnerability findings discovered in customer scans are treated as strictly confidential. We will never disclose customer-specific vulnerability data to third parties, competitors, media, or the public without explicit written consent.
  • Upstream Coordination: If our scanning tools or research identify a previously unknown vulnerability (zero-day) in a widely-used third-party product, we follow coordinated vulnerability disclosure (CVD) practices per ISO/IEC 29147:2018 to notify the affected vendor before any public disclosure.
  • No Exploitation: Find The Breach will never use customer vulnerability data for competitive intelligence, marketing (beyond aggregated/de-identified statistics), or any purpose beyond providing and improving the Service.
  • Data Minimization: Scan data is retained only as long as necessary to provide the Service and comply with legal obligations. We do not stockpile vulnerability data beyond the retention periods specified in our Privacy Policy.
  • No Re-Selling: Customer scan results, vulnerability evidence, and remediation data are never sold, licensed, or shared with data brokers, advertisers, or intelligence agencies.

Contact

Report vulnerabilities to security@findthebreach.com. For PGP-encrypted communication, request our public key at the same address.