This policy explains which assets are in scope, the expectations for researchers, and how to submit vulnerability reports. By submitting a report, you acknowledge and agree to follow the guidelines described below.
1. Scope of Testing
This policy applies to digital assets that are owned and maintained by BaseServ, including:
- billingserv.com
- demo.onlinebillingform.com
- id.baseserv.com
Any systems, services, or infrastructure not specifically listed above are considered out of scope.
2. Research Guidelines
To ensure responsible testing, you must comply with the following requirements:
- Do not perform actions that could negatively impact our services, infrastructure, or users. Prohibited activities include (but are not limited to) denial-of-service attacks, spam, automated abuse, or social engineering.
- Do not access, download, alter, or delete data that does not belong to you. If you unintentionally encounter sensitive or non-public data, stop testing immediately and report the issue.
- Do not publicly disclose any vulnerability until we have confirmed that it has been resolved.
- Provide clear, step-by-step reproduction details so our team can validate and remediate the issue. Reports lacking sufficient information may not be actionable.
- Conduct all research ethically and without intent to exploit or financially benefit from the vulnerability.
3. Submitting a Report
If you discover a potential security issue, please notify us as soon as possible by:
- Submitting a ticket through our official support portal; or
- Emailing us at security@baseserv.com.
If possible, please use encryption (such as PGP) when sharing sensitive details.
When reporting, include:
- A detailed description of the issue
- Steps to reproduce
- The affected URL or system
- Any proof-of-concept material (screenshots, logs, etc.)
4. Safe Harbor Commitment
If you comply with this policy and act in good faith:
- We will not pursue legal action related to your research.
- We will investigate and address the issue in a timely manner.
- We will treat your report confidentially.
This safe harbor applies only when all policy guidelines are followed.
5. Compensation
At this time, BaseServ does not operate a formal bug bounty program. While we may choose to acknowledge or reward contributions at our discretion, submission of a report does not entitle you to compensation.