Responsible disclosure.

Report it · We'll acknowledge in 24h · Fixed without theatre

If you have found a security issue in any Bedstone-operated system, we want to hear from you. This page describes how to report it, what we will do with the report, how quickly we will respond, and what we ask of you in return. We follow ISO 29147 (vulnerability disclosure) and ISO 30111 (vulnerability handling) as the baseline.

How to report

Email security@bedstone.ai. Include:

  • What you found, in plain language.
  • Where you found it — URL, host, or application name.
  • Steps to reproduce. Proof-of-concept code or commands welcome.
  • Impact as you understand it.
  • Any mitigations or fixes you would suggest.
  • Your name and how you would like to be acknowledged, if at all.

If the issue is sensitive enough that plain email worries you, ask for our PGP key in the first message and we will send it from a separate channel.

What we promise

  • Acknowledgement within 24 hours, normally same business day.
  • Initial triage within 3 business days, with our view on severity and likely fix timeline.
  • No legal action against good-faith researchers operating within the scope described below.
  • A name credit on this page when the fix ships, if you want it.
  • Status updates while the work is happening, on a cadence we agree with you.
  • Honest communication. If we disagree with your assessment, we will say so and explain why.

What we ask of you

  • Give us a reasonable window to fix the issue before public disclosure. Default is 90 days from acknowledgement, or sooner if we ship the fix and you confirm it.
  • Do not run automated scanning that degrades availability for other users.
  • Do not access or modify data that is not your own. Use test accounts you created, or accounts we provide for the engagement.
  • Do not extract more data than necessary to demonstrate the issue.
  • Do not pivot from the initial finding into adjacent systems without asking us first.

Scope

In scope:

  • bedstone.ai and all subdomains we operate.
  • Bedstone-operated infrastructure that is directly addressable from the public internet.
  • Any artefact we have published that is intended to be downloaded or installed.

Out of scope (please do not test):

  • Customer-tenant systems we have built but a customer now operates. Report those to the customer directly; we will pass it on if asked.
  • Third-party services we use (Cloudflare, AWS, Google Workspace, Microsoft 365, LinkedIn, GitHub). Report those to the vendor.
  • Anything physical, anything requiring social engineering of staff or customers, and any denial-of-service test.
  • Findings that depend on conditions only achievable inside a Bedstone-operated environment with privileged credentials.

Severity and SLA

We use the standard CVSS v3.1 framing to assess severity. Internal SLA targets for fix or mitigation:

  • Critical (CVSS 9.0+). Mitigation within 24 hours. Fix within 7 days.
  • High (CVSS 7.0-8.9). Fix within 14 days.
  • Medium (CVSS 4.0-6.9). Fix within 30 days.
  • Low (CVSS < 4.0). Fix within 90 days, or accepted with documented justification.

If we miss a target, we tell you and explain why. We do not silently push deadlines.

Bounty

Bedstone does not currently run a monetary bug bounty. We may offer a one-off thank-you payment for critical findings on a case-by-case basis, but we do not promise it in advance. The acknowledgement on this page, the working relationship, and the honest fix process are what we can guarantee.

Safe harbour

If you act in good faith within the scope above and the rules in this page, we will not initiate or support legal action against you. We will treat your activity as authorised security research. This safe harbour does not extend to actions outside scope, attempts to exfiltrate customer data, or activity that breaches Australian law.

Hall of fame

Researchers who have responsibly disclosed valid findings will be listed here on request, with a link of their choosing. None yet — the site is new. We will keep this section honest.

Related

Email security@bedstone.ai
What we build
Custom software development AI agents & automation Financial systems Security audits Penetration testing Cloud infrastructure Bedstone OS Sovereign AI
Industries
Software & technology Financial services Legal Healthcare Mining Construction Manufacturing Logistics & transport Property & real estate Government & defence Energy & utilities Education
Locations
Australia Brisbane Sydney Melbourne Perth Adelaide Canberra Hobart Gold Coast
Common patterns
Workflow automation AI strategy & POC System integration AI ROI mapping R&D tax incentive readiness
Company
About Our approach Services Patterns Pricing Insights Reach out Terms Privacy Responsible disclosure
Connect
LinkedIn Email