brink.
responsible disclosure

Find a bug in brink? Tell us, not the internet.

We run autonomous attackers for a living, so we take this seriously. If you've found a real security issue affecting brink's own infrastructure or production app, the policy below tells you how to report it and what to expect back.

1 · in scope

  • brink.security and any *.brink.security subdomain we operate
  • the dashboard at app.brink.security
  • the API at api.brink.security
  • the scope proxy at egress.brink.security
  • any package published under @brink/* on npm

2 · out of scope

  • customer tenants — those are the customers' to disclose, not ours
  • third-party services we integrate with (auth providers, Stripe, Sentry)
  • findings that require physical access, social engineering, or DOS volume
  • missing security headers on the marketing site (we know, file a github issue)

3 · how to report

Encrypt with our PGP key, then email security@brink.security. We acknowledge within one business day and triage within three. If you do not hear back, escalate to founders@brink.security.

pgp fingerprint:
8C4E 7D9B 21A0 5F88 1A0F · 91F3 D8B2 6C0A 4E7E 9CFB

4 · safe harbor

We will not pursue or support legal action against researchers who report findings in good faith and within this policy. You may not, in the course of a test, intentionally exfiltrate real customer data, degrade availability for any customer, or share details publicly until we have remediated and you have received written acknowledgment. Disclosure timeline: 90 days from report or 14 days from remediation, whichever comes first.

5 · what you get

  • credit in our public security acknowledgments page
  • direct line to the engineer who owns the affected code
  • bounty for confirmed findings (criticals: usd 5,000 / high: 2,000 / medium: 500) — paid via stripe, no NDAs
  • a swag bag you actually want, designed by our brand lead