Your cart is empty.Shop Now
This policy will change from time to time and will be updated without notice. This policy was last modified on Dec 2, 2023. The most current version of this policy can be found on our website at https://www.brightlightbooks.com.
BrightLight Books prioritizes customer safety and privacy as well as business continuity in all of our IT operations and as such we value collaboration with skilled security researchers to identify and mitigate vulnerabilities in our systems.
If you believe you have found a security vulnerability we encourage you to let us know right away. We will investigate all legitimate reports and do our best to quickly fix the problem. Before engaging in testing against our systems please review this page for information including our bounty payments, rules, disclosure guidelines, and the types of things that should not be reported.
Any activities conducted in a manner consistent with this policy will be considered authorized conduct and we will not take legal action against you regarding these activities. If legal action is initiated by a third party against you in connection with activities conducted under this policy we will take all reasonable steps to make it known that your actions were conducted in compliance with this policy.
We pay bounties based on the maximum impact of the vulnerability and we will consider the ramifications of further exploitation of a verified vulnerability in setting the bounty amount. Please make sure to describe any further exploitation or penetration you believe may be possible in your report so that we can consider it in setting the bounty amount.
All employees of BrightLight Books, Inc. are prohibited from participating in or assisting in any way with activities conducted under this policy. If we find that you were assisted by an employee in any meaningful way you will not be eligible for a bounty payment.
Additionally you will be eligible for a bounty payment only if you are the first person to disclose an issue not previously known to us. Rewards for valid vulnerabilities are based on severity, determined solely at our discretion but guided by the CVSS score as calculated using the online calculator at https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator (or any future successors). Typical rewards range from $100 to $500 (in US dollars) and will be sent by PayPal. Bounties cannot be paid to foreign governments or corporations or to individuals residing in a country currently under sanction by the United States.
We practice Coordinated Disclosure: We agree to allow you to disclose your discovered vulnerability and to publicly credit you for the discovery if you wish but only after we have mitigated the risk. Our standard period of non-disclosure is 14 days from acknowledgement but by submitting a report you agree to coordinate reasonable extensions with us for more complex issues. Any mutually agreed-upon disclosure period extension will not delay the issuance of bounty payments.
Expect an initial acknowledgement within 3 business days. This initial acknowledgement does not mean we have accepted the validity of your report but is merely our notice to you that we have received and are investigating it. We will contact you again after reviewing your report to either accept it, request further information from you or to reject your report as invalid. If your report is accepted we will follow up with a proposed bounty payment within 2 business days after notifying you of acceptance. If we reject your report we will include an explanation unless the vulnerability is one listed in the Exclusions section below.
Report vulnerabilities only to [email protected]. Reports received via alternative contact methods or addresses may not be accepted or if accepted may not be eligible for a bounty payment. If you feel your report should be sent confidentially please make initial contact at the address above and we will coordinate a secure communication channel with you, preferably via PGP.
If our team cannot reproduce or verify an issue a bounty cannot be awarded so please write your report in a way that makes it easy for us to reproduce the submitted issue. Specifically you should send a clear description of the vulnerability written in English and including steps to reproduce or demonstrate the vulnerability. To help us understand the issue you may include non-executable attachments such as screenshots or proof of concept code within the body of the email as necessary. List impacted URL(s) and any affected parameters when applicable. Reports that only feature a video proof of concept without written reproduction steps will be refused. Additionally we will not follow any links included in your report unless they are to a well known website or a website which we operate.
Should you manage to penetrate one of our systems you should not leave it in a more vulnerable state than how you found it. You should not engage in testing or related activities that degrade, damage, or destroy information within our systems or exfiltrate any real customer information. If, while researching a vulnerability you are unsure whether you should continue please pause your testing and immediately email our security team at [email protected].
Please be patient while we are working on the evaluation and remediation of your report as we are a small team with limited resources. You may rest assured that you will hear from us as soon as there is any news so please refrain from asking for additional updates before 5 days have passed since you last heard from us.
Activities exceeding this scope are not protected by this policy’s Safe Harbor clause.
Please do not engage in DDoS, spamming or social engineering attacks.
Additionally the following vulnerability classes do not qualify for a reward under this policy: