Vulnerability Disclosure Policy

At Brikl, we greatly value the support of IT security researchers and members of cybersecurity communities in helping us to maintain our high IT security standards.

If you identify an IT security vulnerability relating to any of our websites, please notify us promptly before disclosing it to the outside world so that we can take the necessary measures. This is known as responsible disclosure.

Please keep all information relating to the discovered vulnerability secret from all third parties for at least 90 days, allowing us to identify and implement the measures needed to address the issue you have reported.

The current scope for reporting includes the following websites:

Merchant dashboard: https://dashboard.brikl.com/
Developer Portal: https://developers.brikl.com/
Hosted Merchant websites

Other sites, as well as subdomains of the sites listed above, are currently not included within this scope. We regularly update this page, however, and it will reflect any changes to the scope for reporting.

How do you notify us?

If you have identified a security vulnerability, please proceed as follows:

Send us your notification as soon as possible via email to security@brikl.com

Please include the following information in your report:

your contact details (i.e., name, email address);
the type of vulnerability identified;
the service/device/application impacted by the vulnerability;
a detailed description of the problem encountered;
the IP address(es) from which the security vulnerability was identified, together with the date and time of the discovery;
a compressed archive (zip) with any files that can help reproduce the flaw (e.g., screenshots, images, text files with description details, PoC, source code, scripts, pcap traces, logs, source IP addresses, etc.).

The size of the email communication should not exceed 20MB. Please contact us in advance via the email address above should you need to send an attachment that is larger than this size.

Please act responsibly in dealing with your discovery of the identified security vulnerability. Do not take any actions beyond what is needed to identify and verify the issue. Please do not use the identified security vulnerability to your advantage and avoid storing any confidential data obtained due to the issue.

Examples of vulnerabilities we will consider

Injection and deserialization vulnerabilities (SQL/NoSQL/LDAP injection, command injection, object deserialization)
Broken authentication and broken access control vulnerabilities (incorrect implementation of authentication, session management, access control)
Sensitive data exposure (vulnerabilities that can lead to data leakage)
Cross-site scripting
Cross-site request forgeries
XML external entities
Server-side request forgeries
Redirect vulnerabilities
Underprotected API
Known and zero-day vulnerabilities under the spotlight

Examples of vulnerabilities we will not consider

We continuously monitor our internet-exposed assets to identify security issues and misconfigurations, and we therefore kindly ask that you avoid reporting the following items if they don’t lead to actual exploitation:

weak configurations of the TLS protocol;
reports of non-compliance with best practices (e.g., for SPF/DKIM/DMARC configuration, content security policy, TLS misconfigurations);
the output of well-known automated tools/solutions.

How will we respond?

If you report a valid security vulnerability relating to our websites specified above, we will process your report as follows.

We will confirm receipt of your report.
We will send you our response within 30 business days following the confirmation of receipt, setting out our assessment of the issue and the expected resolution date. In some special circumstances, we reserve the right to extend this period.
We will treat your report as confidential and will not share your details with third parties except when obliged by law.
We are currently not running a reward program for reporting vulnerabilities.