If you’ve found a vulnerability in our site or in Adamantius, we want to hear about it, and we’ll work with you in good faith to fix it.
- I
How to report
Email security@barkrowsystems.com with enough detail to reproduce the issue — the affected URL or component, the steps, and the impact you observed. If you can, encrypt sensitive details; ask us for a key. We acknowledge reports promptly and will keep you updated as we investigate.
- II
Safe harbor
If you make a good-faith effort to follow this policy, we will not pursue or support legal action against you for your research. We consider activity conducted under this policy to be authorized, and we’ll work with you to understand and resolve the issue quickly.
- III
The rules
Do
- Give us a reasonable time to investigate and fix an issue before disclosing it publicly.
- Use only your own test accounts and data.
- Stop as soon as you’ve confirmed a vulnerability, and report it.
Don’t
- Access, modify, or delete data that isn’t yours, or break tenant isolation.
- Attempt to defeat or reverse the PII boundary, or to recover raw identifiers from tokenized data.
- Run denial-of-service tests, send spam, or degrade the service for others.
- Use social engineering, phishing, or physical attacks against our staff or facilities.
- Publicly disclose a vulnerability before we’ve had a chance to remediate it.
- IV
Scope
In scope: barkrowsystems.com, app.barkrowsystems.com, and the Adamantius platform. Out of scope: our subprocessors’ own infrastructure (report those to the vendor), and findings that require physical access or compromised credentials you weren’t authorized to hold.
- V
What we don’t offer (yet)
We don’t currently run a paid bug-bounty program. We do offer our genuine thanks and, with your permission, public acknowledgment.
Security questions? Write to security@barkrowsystems.com.