How to report a vulnerability
Send a clear report to admin@booaistudio.com with the affected URL or feature, reproduction steps, risk summary, timestamps, and any screenshots or logs needed to understand the issue.
Testing rules
- Test only what is needed to prove the issue exists.
- Do not access, download, modify, or retain customer data.
- Do not run denial-of-service attacks, spam calls, phishing, social engineering, or physical intrusion attempts.
- Do not chain a vulnerability into broader exploitation after the issue is confirmed.
Safe harbor for good-faith research
If you follow this policy, avoid privacy harm, and give us a reasonable chance to fix the issue before public disclosure, we will treat your work as authorized good-faith testing. This statement does not grant permission to break laws or access data that is not yours.
Out of scope
We generally do not treat issues that require unrealistic user action, already-public secrets, third-party services we do not control, self-XSS, rate limits with no real impact, or automated scanner noise without a reproducible exploit as valid vulnerability reports.
Our response process
We aim to acknowledge reports promptly, review severity, and keep the reporter informed when practical. We may request extra detail, coordinate on a fix window, and close reports that cannot be reproduced or fall outside the policy.
