brainCloud
Log In
Sign Up

Vulnerability Disclosure Policy

Version: 6.0  ·  Effective Date: June 15, 2026  ·  Last Updated: June 15, 2026

Purpose

brainCloud is committed to maintaining the security, integrity, and availability of its services.

We welcome responsible reporting of security vulnerabilities that may affect brainCloud systems, services, applications, websites, or infrastructure.

This Vulnerability Disclosure Policy describes how security researchers, customers, and members of the public may report suspected security vulnerabilities to brainCloud.

Additional security, privacy, and compliance information is available through the brainCloud Trust Center.

Scope

This Policy applies to security vulnerabilities affecting:

  • brainCloud Public BaaS Services;
  • brainCloud-operated websites;
  • brainCloud customer portals;
  • brainCloud APIs;
  • brainCloud-hosted services; and
  • other systems expressly owned or operated by brainCloud.

This Policy does not apply to:

  • customer applications;
  • customer content;
  • customer integrations;
  • third-party services not controlled by brainCloud; or
  • systems outside brainCloud’s ownership or control.

This Policy also applies to brainCloud-operated AI-enabled services and interfaces under brainCloud’s control.

Reporting a Vulnerability

Potential vulnerabilities should be reported to:

Security Contact: <se******@***********ud.com>

Reports should include, where reasonably available:

  • description of the vulnerability;
  • affected system or service;
  • steps to reproduce;
  • proof-of-concept information;
  • potential impact; and
  • contact information for follow-up.

brainCloud may request additional information to assist with investigation and validation.

Certain vulnerability reports may be considered for eligibility under a separate brainCloud bug bounty program where applicable.

What Researchers Can Expect

Upon receipt of a vulnerability report, brainCloud may:

  • acknowledge receipt of the report;
  • review the information provided;
  • request clarification or additional information;
  • investigate the reported issue; and
  • communicate status updates at brainCloud’s discretion.

brainCloud does not guarantee specific response or remediation timelines.

Good Faith Security Research

brainCloud supports responsible, good-faith security research conducted in a manner intended to:

  • improve security;
  • avoid harm to customers;
  • avoid disruption of services;
  • avoid unauthorized access to customer data; and
  • avoid privacy violations.

Researchers are encouraged to act responsibly and minimize any potential impact on systems, services, users, or data.

Researchers should make reasonable efforts to:

  • avoid privacy violations;
  • avoid accessing customer data;
  • avoid service disruption;
  • avoid persistence within systems; and
  • avoid actions that could negatively affect customers or users.

Safe Harbor

brainCloud will not knowingly pursue legal action against researchers who act in good faith and comply with this Policy, except where required by law or necessary to protect customers, users, systems, or third parties.

Provided that activities are conducted in good faith and in accordance with this Policy, brainCloud generally will not pursue legal action against researchers solely for:

  • identifying vulnerabilities;
  • testing vulnerabilities within the limits described by this Policy; or
  • responsibly reporting vulnerabilities to brainCloud.

This Safe Harbor does not apply to activities that:

  • violate applicable law;
  • intentionally harm systems;
  • access customer data;
  • disrupt services;
  • compromise privacy;
  • exceed the scope of this Policy; or
  • otherwise create risk to customers or third parties.

brainCloud reserves all legal rights and remedies regarding activities outside the scope of this Policy.

Prohibited Activities

The following activities are prohibited:

  • accessing, downloading, modifying, deleting, or exfiltrating customer data;
  • intentionally disrupting services;
  • denial-of-service attacks;
  • distributed denial-of-service attacks;
  • social engineering;
  • phishing;
  • physical security testing;
  • credential theft;
  • malware deployment;
  • ransomware activity;
  • privilege escalation beyond what is necessary to demonstrate a vulnerability;
  • automated scanning that materially impacts service availability; or
  • any activity that violates applicable law.

If a vulnerability is discovered during testing, researchers should cease testing and report the issue promptly.

Permitted Testing Activities

Researchers should use their own accounts and test data whenever reasonably possible.

Confidentiality & Disclosure

Researchers should not publicly disclose vulnerabilities until:

  • brainCloud has had a reasonable opportunity to investigate and remediate the issue; and
  • coordinated disclosure has been agreed upon by brainCloud.

brainCloud may request that researchers delay disclosure where necessary to protect customers, services, or ongoing remediation efforts.

Investigation Process

Upon receipt of a vulnerability report, brainCloud may:

  • acknowledge receipt;
  • review the report;
  • request additional information;
  • investigate the reported issue;
  • determine severity and impact; and
  • implement remediation measures as appropriate.

brainCloud does not guarantee remediation timelines and reserves discretion regarding prioritization and remediation activities.

Recognition & Compensation

brainCloud appreciates responsible disclosure efforts that improve the security of its services.

brainCloud may, at its sole discretion, provide recognition, acknowledgement, bug bounty awards, or other compensation for eligible vulnerability reports.

brainCloud maintains a separate bug bounty program that may be made available to selected participants, researchers, customers, partners, or other individuals at brainCloud’s discretion.

Eligibility, scope, reward amounts, program requirements, and participation terms are governed by the applicable bug bounty program documentation.

Submission of a vulnerability report under this Policy does not create a contractual relationship and does not guarantee eligibility for compensation, recognition, or participation in any bug bounty program.

brainCloud reserves the right to determine eligibility, severity classifications, reward amounts, and recognition decisions in its sole discretion.

Submission of a vulnerability report does not transfer ownership of intellectual property or research materials unless otherwise agreed in writing.

brainCloud may receive reports from multiple researchers regarding the same or substantially similar vulnerabilities. Recognition, acknowledgement, or any discretionary reward may be determined by brainCloud in its sole discretion.

No Warranty

brainCloud makes no representations regarding:

  • acceptance of vulnerability reports;
  • remediation timelines;
  • vulnerability severity determinations;
  • compensation; or
  • public acknowledgement.

All vulnerability handling activities are performed at brainCloud’s discretion.

Contact Information

Security Contact: <se******@***********ud.com>

Additional information is available through:

DISCLAIMER

This Vulnerability Disclosure Policy is provided for informational purposes only.

Nothing in this Policy creates contractual obligations, warranties, service commitments, bug bounty obligations, or legal rights beyond those expressly required by applicable law.

Thanks for Connecting!

We’ll get back to you as soon as we can.