responsible disclosure

Find a bug in brink? Tell us, not the internet.

We run autonomous attackers for a living, so we take this seriously. brink is pre-launch — there's no production service or live security program yet. A formal disclosure and bounty program launches alongside the production product. Until then, if you've found a security issue affecting brink's infrastructure or code, the policy below tells you how to report it.

1 · in scope

  • usebrink.com and any *.usebrink.com subdomain we operate
  • any package published under @brink/* on npm

2 · out of scope

  • customer tenants — those are the customers' to disclose, not ours
  • third-party services we integrate with (auth providers, Stripe, Sentry)
  • findings that require physical access, social engineering, or DOS volume
  • missing security headers on the marketing site (we know, file a github issue)

3 · how to report

Email security@usebrink.com. If you'd like to encrypt your report, use our PGP key below.

pgp fingerprint:
8C4E 7D9B 21A0 5F88 1A0F · 91F3 D8B2 6C0A 4E7E 9CFB

4 · safe harbor

We will not pursue or support legal action against researchers who report findings in good faith and within this policy. You may not, in the course of a test, intentionally exfiltrate data, degrade availability, or share details publicly until we have remediated and you have received written acknowledgment. Disclosure timeline: 90 days from report or 14 days from remediation, whichever comes first.

5 · what you get

  • credit in our public security acknowledgments page
  • direct line to the engineer who owns the affected code
  • a formal bounty program with published reward tiers launches alongside the production product