Responsible Disclosure Policy

Last Updated June 3, 2026

Privacy Bee, LLC (“Privacy Bee,” “we,” “us,” or “our”) takes the security of our systems and the privacy of our users seriously. We welcome reports from security researchers and the public, and we are committed to working with you to verify and resolve any legitimate vulnerability you report.

1. Reporting a Vulnerability

If you believe you have found a security vulnerability in our Services, please report it to security@privacybee.com. To help us triage and resolve the issue quickly, please include:

(a) a description of the vulnerability and its potential impact;

(b) the steps required to reproduce it, including any URLs, payloads, or proof-of-concept;

(c) any relevant screenshots, logs, or supporting material.

Please report what you find promptly, and give us a reasonable opportunity to remediate the issue before disclosing it publicly.

2. Scope

This policy applies to vulnerabilities in services owned and operated by Privacy Bee, including privacybee.com and its subdomains, and our mobile applications.

3. Guidelines for Researchers

When investigating, we ask that you:

(a) make a good-faith effort to avoid privacy violations, data destruction, and any interruption or degradation of our Services;

(b) only access, store, or use the minimum data necessary to demonstrate the vulnerability, and never access, modify, or delete data belonging to other users;

(c) do not exploit the vulnerability beyond what is necessary to confirm it — for example, do not exfiltrate data, pivot to other systems, or maintain persistence;

(d) keep the details of any vulnerability confidential until we have had a reasonable time to remediate it.

4. Out of Scope

The following are generally not eligible under this policy: denial-of-service (DoS/DDoS) or volumetric testing; social engineering, phishing, or physical attacks against our staff, users, or facilities; spam or content injection without a demonstrable security impact; automated-scanner output without a validated, exploitable finding; and vulnerabilities in third-party services we do not control.

5. Our Commitment (Safe Harbor)

If you make a good-faith effort to comply with this policy during your research, we will consider your activity authorized, we will work with you to understand and resolve the issue promptly, and we will not pursue or support legal action against you in connection with your report. We will acknowledge your report, keep you reasonably informed of our progress, and tell you when the issue is resolved. We aim to acknowledge reports within five (5) business days.

6. Recognition

We do not currently operate a paid bug-bounty program. With your permission, we are glad to publicly acknowledge researchers who responsibly disclose valid, previously-unknown vulnerabilities.

This policy should be read together with our Privacy Policy and Terms of Service.