Dritarr Inc welcomes security research that helps keep BotPM.ai customers safe. This policy describes how to report vulnerabilities, what is in scope, and how we will respond. A machine-readable version is published at /.well-known/security.txt.
Reporting channel
Use the form below to send a report directly to our security inbox. We will send an automated acknowledgement to the email you provide and follow up within 3 business days. You can also email hello@botpm.ai directly. PGP-encrypted reports will be accepted once our key is published at /.well-known/pgp-key.txt (placeholder).
Submit a vulnerability report
Scope
- botpm.ai and its subdomains, except those clearly marked as third-party.
- The BotPM.ai web application and authenticated APIs.
- Mobile or desktop clients distributed by BotPM.ai (when available).
Out of scope: denial-of-service tests, social engineering of staff or customers, physical attacks, automated scanner output without proof of impact, attacks against third-party services we depend on, and findings that require already-compromised accounts.
Safe harbor
We will not pursue civil action or refer reports to law enforcement for good-faith research that complies with this policy. "Good faith" means: avoiding privacy violations, destruction of data, and degradation of service; using only the access necessary to demonstrate the issue; stopping testing as soon as you have proof of impact; and giving us a reasonable period to remediate before public disclosure (we recommend 90 days).
Response targets
- Acknowledgement within 3 business days.
- Initial triage within 10 business days.
- Remediation timelines depend on severity; critical issues are prioritized.
Recognition
We do not currently run a paid bug-bounty program. Researchers who report valid issues and follow this policy will be acknowledged in this Hall of Fame on request:
- (No public acknowledgements yet — be the first.)