Responsible Disclosure Policy
Last Updated June 3, 2026
Privacy Bee, LLC (“Privacy Bee,” “we,” “us,” or “our”) takes the security of our systems and the privacy of our users seriously. We welcome reports from security researchers and the public, and we are committed to working with you to verify and resolve any legitimate vulnerability you report.
1. Reporting a Vulnerability
If you believe you have found a security vulnerability in our Services, please report it to security@privacybee.com. To help us triage and resolve the issue quickly, please include:
(a) a description of the vulnerability and its potential impact;
(b) the steps required to reproduce it, including any URLs, payloads, or proof-of-concept;
(c) any relevant screenshots, logs, or supporting material.
Please report what you find promptly, and give us a reasonable opportunity to remediate the issue before disclosing it publicly.
2. Scope
This policy applies to vulnerabilities in services owned and operated by Privacy Bee, including privacybee.com and its subdomains, and our mobile applications.
3. Guidelines for Researchers
When investigating, we ask that you:
(a) make a good-faith effort to avoid privacy violations, data destruction, and any interruption or degradation of our Services;
(b) only access, store, or use the minimum data necessary to demonstrate the vulnerability, and never access, modify, or delete data belonging to other users;
(c) do not exploit the vulnerability beyond what is necessary to confirm it — for example, do not exfiltrate data, pivot to other systems, or maintain persistence;
(d) keep the details of any vulnerability confidential until we have had a reasonable time to remediate it.
4. Out of Scope
The following are generally not eligible under this policy: denial-of-service (DoS/DDoS) or volumetric testing; social engineering, phishing, or physical attacks against our staff, users, or facilities; spam or content injection without a demonstrable security impact; automated-scanner output without a validated, exploitable finding; and vulnerabilities in third-party services we do not control.
5. Our Commitment (Safe Harbor)
If you make a good-faith effort to comply with this policy during your research, we will consider your activity authorized, we will work with you to understand and resolve the issue promptly, and we will not pursue or support legal action against you in connection with your report. We will acknowledge your report, keep you reasonably informed of our progress, and tell you when the issue is resolved. We aim to acknowledge reports within five (5) business days.
6. Recognition
We do not currently operate a paid bug-bounty program. With your permission, we are glad to publicly acknowledge researchers who responsibly disclose valid, previously-unknown vulnerabilities.
This policy should be read together with our Privacy Policy and Terms of Service.
