At Bessie Moore, we take the protection of our systems and client information very seriously. We value the work that ethical hackers and security researchers do to keep our security standards high by responsibly disclosing any vulnerabilities they find.
This policy describes how we will accept and handle reports of vulnerabilities.
1. Our Promise
We pledge to cooperate with security researchers in order to promptly confirm, replicate, and fix any vulnerabilities that are reported. Our goal will be to:
Within three business days, acknowledge receipt of your report.
Give a precise timeframe for fixing the weakness.
not file a lawsuit against you if you abide by the guidelines in this policy.
We'll keep you informed of our progress as it happens.
2. Systems Scope Within the Scope
The digital assets listed below are covered by this policy:
The main website and all of its subdomains are bessiemoore.shop.
3. Outside of the Purview
The following specifically fall outside the purview of reporting vulnerabilities:
physical assaults on our personnel, data centers, or property.
attacks using social engineering (such as phishing and vishing) directed at our clients or staff.
volumetric attacks or denial-of-service (DoS/DDoS) attacks.
problems relating to spam.
integrations and services from third parties (like PayPal and email providers). Please notify the appropriate vendor directly of any vulnerabilities in those services.
problems relating to vulnerabilities in outdated browsers.
minor problems with no real-world security ramifications (such as clickjacking on static pages or missing HTTP headers unrelated to security).
4. Participation Guidelines: Guidelines for Reporting
Please send us an email at security@bessiemoore.shop to report a security issue.
Because they are not prepared to handle vulnerability reports, please do not use other contact methods (such as the customer service phone or email).
Your report ought to contain:
a thorough explanation of the weakness and its possible effects.
The procedures needed to replicate the problem (screen captures, screenshots, or Proof-of-Concept code are very useful).
The impacted parameters and URL(s).
Please provide your name, handle, and a method of contact (e.g., email, PGP key).
To protect the confidentiality of the data, we strongly advise you to encrypt your report using our PGP public key, if it is available.
5. The Rules (What We Ask of You)
In order to guarantee responsible disclosure, we need you to:
Never access or change someone else's user data.
Avoid disruptive testing such as DoS/DDoS attacks.
Don't try to exfiltrate data or install malware.
Don't reveal the vulnerability to the general public or any other third party before we've had at least ninety days to fix it.
Please abide by all relevant laws and rules.
6. What to Expect From Us
Within three business days, we will confirm that we have received your report.
Evaluation: After reviewing the report, our staff might get in touch with you to ask more questions.
Timeline: We will give you an approximate mitigation timeline and update you on our progress.
Acknowledgment: Once the vulnerability has been fixed, we would be pleased to give you credit on this page for your responsible disclosure, if you grant us permission.
No Legal Action: If you have tried in good faith to abide by this policy, we will not file a lawsuit or open a law enforcement investigation against you.
7. We Don't Provide Cash Benefits
It should be noted that Bessie Moore is a small, independent company and does not currently provide financial incentives for reporting vulnerabilities or a paid bug bounty program. We can provide our appreciation and, if desired, public recognition.
8. Modifications to Policies
This policy may be updated from time to time. Before submitting a report, researchers are encouraged to review it.
We appreciate your assistance in protecting Bessie Moore and our clients.
Email address for security-related inquiries: security@bessiemoore.shop
Please use our primary contact information for any other questions (customer service, orders, returns).