We appreciate your efforts to responsibly disclose your findings, and will make every effort to acknowledge your contributions.
BES does not operate a bug bounty program.
Beg bounties will not be accepted either.
By all means, if you find an actual security vulnerability then contact us and tell us what it is. If you find something awesome then we'd love to send you some stickers. But if you've just run some automated tooling, found something trivial then reached out with the expectation of cashing in, you're going to be disappointed.
For Tamanu, use its github security vulnerability disclosure page.
For all other reports, or if you're not sure, email [email protected].
You may also wish to consult our security.txt file.
The BES security team will send a response indicating the next steps in handling your report. After the initial reply to your report, the security team will keep you informed of the progress towards a fix, and may ask for additional information or guidance.
BES runs a number of test sites. These are out of scope for data breaches and credential compromise.
BES is frequently found when researching systems that we interact with but do not develop. You may be looking for:
Report security bugs in third-party modules to the person or team maintaining the module. For Node.js projects, you can also report a vulnerability through the npm contact form by selecting "I'm reporting a security vulnerability".
- (2025-02-10) Omri — A DNS configuration issue