Security Policy

Last Updated: April 29, 2025

At Buying Buddy, we are committed to ensuring the security of our systems and protecting the data of our users. This security policy outlines our approach to vulnerability reporting and our commitment to addressing security concerns.


Reporting Security Vulnerabilities

We appreciate the efforts of security researchers and the public in helping us maintain the security of our systems. If you discover a security vulnerability, we encourage you to report it to us as quickly as possible.

To report a security vulnerability, please contact:

Our Commitment

Upon receiving a security report, we are committed to:

  • Acknowledging receipt of your vulnerability report within 48 hours
  • Providing an initial assessment of the report within 5 business days
  • Prioritizing the remediation of valid vulnerabilities based on severity
  • Keeping you informed about the progress of resolving the issue
  • Publicly acknowledging your contribution (if desired) after the vulnerability has been fixed

Scope

The following systems and services are in scope for vulnerability reporting:

  • *.yourcompany.com domains and subdomains
  • Our official mobile applications
  • Our APIs and web services

The following are out of scope:

  • Social engineering attacks against our employees
  • Denial of Service (DoS) attacks
  • Physical security vulnerabilities
  • Third-party services we use but do not control

Responsible Disclosure Guidelines

We request that you:

  • Provide sufficient information to reproduce the vulnerability
  • Make a good faith effort to avoid privacy violations, data destruction, or interruption of services
  • Do not access or modify data that does not belong to you
  • Allow reasonable time for us to address the issue before publishing any information about it

Legal Safe Harbor

We will not pursue legal action against individuals who:

  • Make a good faith effort to comply with this policy
  • Report a vulnerability directly to us
  • Refrain from exploiting the vulnerability beyond what is necessary to verify it exists

We reserve the right to seek legal action for activities that violate laws or go beyond the scope of this policy.

Security Acknowledgments

We would like to thank the following individuals for their contributions to our security:

To be included in this list, please indicate in your report whether you wish to be acknowledged publicly.

Security Measures

We employ the following security measures to protect our systems and your data:

  • Regular security assessments and penetration testing
  • Encryption of sensitive data both in transit and at rest
  • Multi-factor authentication for administrative access
  • Regular security training for all employees
  • Continuous monitoring for suspicious activities

Updates to This Policy

This security policy may be updated from time to time. We will notify users of any significant changes by posting the new policy on this page.