Spaces:
Running
Running
Security Policy
Reporting a Vulnerability
The BDR Agent Factory team takes security seriously. We appreciate your efforts to responsibly disclose your findings.
How to Report
Please DO NOT report security vulnerabilities through public GitHub issues.
Instead, please report them via email to:
π§ security@bdragentfactory.com
Include the following information:
- Type of vulnerability (e.g., SQL injection, XSS, authentication bypass)
- Full paths of source file(s) related to the vulnerability
- Location of the affected source code (tag/branch/commit or direct URL)
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact of the vulnerability
- Your contact information for follow-up
What to Expect
- Acknowledgment: Within 24 hours
- Initial Assessment: Within 72 hours
- Regular Updates: Every 7 days until resolution
- Resolution Timeline: Critical issues within 7 days, high severity within 30 days
Supported Versions
We provide security updates for the following versions:
| Version | Supported |
|---|---|
| 2.x.x | β Yes |
| 1.x.x | β Yes (until Jun 2026) |
| < 1.0 | β No |
Security Measures
Authentication & Authorization
- OAuth 2.0 for API authentication
- JWT tokens with RS256 signing
- Role-Based Access Control (RBAC) for fine-grained permissions
- API key rotation every 90 days
- Multi-factor authentication (MFA) for admin accounts
Data Protection
- TLS 1.3 for all data in transit
- AES-256 encryption for data at rest
- Field-level encryption for sensitive PII
- Key management via AWS KMS/Azure Key Vault
- Data retention policies compliant with GDPR/HIPAA
Infrastructure Security
- Network isolation with VPCs and security groups
- Web Application Firewall (WAF) for DDoS protection
- Intrusion Detection System (IDS) monitoring
- Regular security scanning with Snyk, Bandit, and OWASP ZAP
- Container security with image scanning and runtime protection
Application Security
- Input validation on all API endpoints
- SQL injection prevention with parameterized queries
- XSS prevention with output encoding
- CSRF protection with tokens
- Rate limiting to prevent abuse
- Security headers (CSP, HSTS, X-Frame-Options)
Monitoring & Logging
- Security Information and Event Management (SIEM)
- Real-time alerting for suspicious activity
- Audit trails for all sensitive operations
- Log retention for 7 years (compliance requirement)
- Anomaly detection with ML-based monitoring
Compliance
Certifications
- β SOC 2 Type II (In Progress)
- β ISO 27001 (Planned Q3 2026)
- β HIPAA Compliant
- β GDPR Compliant
- β PCI DSS (Planned Q4 2026)
Regulatory Compliance
- IFRS 17 - Insurance contracts accounting
- HIPAA - Healthcare data privacy
- GDPR - Data protection regulation
- AML - Anti-money laundering
- CCPA - California Consumer Privacy Act
Security Best Practices
For Users
Protect API Keys
- Never commit API keys to version control
- Use environment variables or secret managers
- Rotate keys regularly (every 90 days)
Use HTTPS
- Always use HTTPS for API calls
- Verify SSL certificates
- Pin certificates in production
Implement Rate Limiting
- Set appropriate rate limits for your use case
- Monitor for unusual traffic patterns
- Implement exponential backoff
Validate Input
- Validate all user input before sending to API
- Sanitize data to prevent injection attacks
- Use allowlists instead of denylists
Monitor Usage
- Review audit logs regularly
- Set up alerts for suspicious activity
- Track API usage patterns
For Developers
Secure Coding
- Follow OWASP Top 10 guidelines
- Use static analysis tools (Bandit, SonarQube)
- Conduct code reviews for security
Dependency Management
- Keep dependencies up to date
- Use
pip-auditorsafetyfor Python - Monitor for CVEs in dependencies
Secret Management
- Use AWS Secrets Manager or HashiCorp Vault
- Never hardcode secrets
- Implement secret rotation
Testing
- Write security tests
- Perform penetration testing
- Use DAST tools (OWASP ZAP)
Deployment
- Use infrastructure as code (Terraform)
- Implement least privilege access
- Enable audit logging
Vulnerability Disclosure Policy
Scope
In Scope:
- BDR Agent Factory API (api.bdragentfactory.com)
- Official SDKs (Python, JavaScript)
- Documentation website (docs.bdragentfactory.com)
- GitHub repositories
Out of Scope:
- Third-party services and integrations
- Social engineering attacks
- Physical security
- Denial of Service (DoS) attacks
Rules of Engagement
Allowed:
- Testing on your own accounts
- Automated scanning with rate limiting
- Responsible disclosure
Not Allowed:
- Testing on other users' accounts
- Destructive testing (data deletion, corruption)
- Social engineering of employees
- Physical attacks on infrastructure
- Denial of Service attacks
Safe Harbor
We consider security research conducted under this policy to be:
- Authorized under the Computer Fraud and Abuse Act (CFAA)
- Exempt from DMCA anti-circumvention provisions
- Protected from legal action by BDR Agent Factory
We will not pursue legal action against researchers who:
- Follow this policy
- Report vulnerabilities responsibly
- Do not exploit vulnerabilities beyond proof-of-concept
- Do not access or modify user data
Bug Bounty Program
Rewards
We offer rewards for qualifying vulnerabilities:
| Severity | Reward Range |
|---|---|
| Critical | $5,000 - $10,000 |
| High | $2,000 - $5,000 |
| Medium | $500 - $2,000 |
| Low | $100 - $500 |
Severity Levels
Critical:
- Remote code execution
- SQL injection with data access
- Authentication bypass
- Privilege escalation to admin
High:
- Stored XSS
- CSRF on sensitive actions
- Sensitive data exposure
- Authorization bypass
Medium:
- Reflected XSS
- CSRF on non-sensitive actions
- Information disclosure
- Rate limiting bypass
Low:
- Security misconfigurations
- Missing security headers
- Verbose error messages
- Minor information disclosure
Eligibility
- First reporter of a unique vulnerability
- Vulnerability must be reproducible
- Must follow responsible disclosure
- Must not violate rules of engagement
Security Advisories
Security advisories are published at: https://github.com/BDR-AI/BDR-Agent-Factory/security/advisories
Recent Advisories
None currently.
Security Updates
Subscribe to security updates:
- GitHub Watch: Watch the repository for security advisories
- Email: Subscribe at security-updates@bdragentfactory.com
- RSS: https://bdragentfactory.com/security/feed.xml
- Twitter: @BDRAgentFactory
Incident Response
Process
- Detection: Automated monitoring and user reports
- Triage: Assess severity and impact within 1 hour
- Containment: Isolate affected systems within 4 hours
- Eradication: Remove threat and patch vulnerabilities
- Recovery: Restore services and verify integrity
- Post-Incident: Document lessons learned and improve
Communication
- Status Page: https://status.bdragentfactory.com
- Incident Updates: Every 2 hours during active incidents
- Post-Mortem: Published within 7 days of resolution
Security Team
Our security team is available 24/7 for critical issues.
Contact:
- Email: security@bdragentfactory.com
- PGP Key: https://bdragentfactory.com/security/pgp-key.asc
- Emergency Hotline: +1-555-SECURITY (for critical issues only)
Acknowledgments
We thank the following security researchers for their responsible disclosure:
(List will be updated as vulnerabilities are reported and fixed)
Additional Resources
Last Updated: January 3, 2026
Version: 1.0.0