Responsible Disclosure Policy
Your security insights matter.
Purpose
The main goal of our vulnerability disclosure policy is to help ensure that vulnerabilities are patched or fixed in a timely manner with the ultimate objective of securing our users’ information. This policy is intended to give clear guidelines for reporting potentially unknown or harmful security vulnerabilities.
Security Researchers
Biograph recognizes the positive contributions of security researchers and encourages the responsible and direct disclosure of potential security vulnerabilities to us. We accept vulnerability reports from all sources.
Our Commitments to Researchers
Biograph is committed to working collaboratively with security researchers.
We will maintain standard confidentiality in our communications with you.
We will work with you to validate and respond to your disclosure.
We will investigate and use all reasonable efforts to remediate validated issues in a manner consistent with protecting the safety and security of those potentially affected by a reported vulnerability.
Biograph reserves all of its legal rights in the event of non-compliance with this Policy, but it does not intend to pursue legal action against any party that conducts security research and discloses information to us in good faith and as outlined in this Policy.
What We Ask of Researchers
To ensure responsible disclosure and avoid unintended harm, we request that researchers:
We request that you communicate information about potential security vulnerabilities in a responsible manner. This means complying with all applicable laws and respecting the privacy of individuals. Your security research should also avoid degradation of our user’s experiences, disruption to systems, and destruction of data.
We request that researchers provide sufficient technical detail and background necessary for our team to identify and validate reported issues.
We request that researchers act for the common good, protecting user privacy and security by refraining from publicly disclosing vulnerabilities.
Scope
This policy applies to the following Biograph-owned systems and services:
biograph.com, and the following hostnames:
members.biograph.com
public.biograph.com
Any other subdomain of biograph.com and all customer applications are excluded from this policy.
Any services not expressly listed above, such as any connected services, are excluded from scope and are not authorized for testing. Additionally, vulnerabilities found in systems from our vendors fall outside of this policy’s scope and should be reported directly to the vendor according to their disclosure policy (if any). If you aren’t sure whether a system is in scope or not, please contact security@biograph.com before starting your research.
The following activities are explicitly out of scope of this policy.
Compromising the integrity, availability, or confidentiality of non-public information in the possession of Biograph.
Failing to immediately delete/destroy sensitive information or personal data you may inadvertently access.
Publicly disclosing any potential vulnerability without the express written consent of Biograph.
Intentionally or negligently causing a denial-of-service condition for any user beyond the researcher.
Exploitation of any vulnerability that sends bulk unsolicited or unauthorized messages (spam).
Posting, transmitting, uploading, or linking malware, viruses, or similar harmful software that could impact our services, products or customers or any other third party.
Testing third-party websites, applications, or services that integrate with our services or products.
Conducting social engineering (including phishing) of Biograph employees, contractors, customers, or any other party.
We require researchers to contact us at security@biograph.com before engaging in research that may be inconsistent with or not addressed by this policy. If in doubt, ask us before engaging in any specific action you think may go outside the bounds of this policy.
Reporting Potential Security Vulnerabilities
If you believe you have discovered a potential security vulnerability in any digital asset owned, operated, or maintained by Biograph or a circumstance that could reasonably impact the security of our Company or our users, we encourage you to disclose this to us. You may report potential security vulnerabilities to us by sending an email to security@biograph.com using our optional PGP key below. Please provide all known information related to the suspected security vulnerability you are reporting.
Upon submission, we will acknowledge receipt of each vulnerability report, conduct a thorough investigation, and then take appropriate action for resolution, if any.
While no type of vulnerability is explicitly out of the scope of this policy, researchers are asked to consider the attack scenario and exploitability associated with any potential security vulnerability submitted.
Public GPG Key
If you'd like to encrypt your communications with Biograph, please use our PGP key below. All security-related emails from Biograph will be signed with this key.
-----BEGIN PGP PUBLIC KEY BLOCK-----
xsFNBGdR0FQBEADbIRy22TVA280Ff8/ygEbVtzXLh1qg8ZyKPeFONN60PjsxCCaag9LDQNg0CgnSa4/+Ad7qS2QPZHQBLEghVTHlBJAbCZTe/MiBdF5sEBOnQvw1YguuqT6fEnw146V5mOvNpvGy+hnzQ8Axl52TnqYSSsd31PGlZlKm1L/L5oZn10fDo+4oRwyu+cBwbAI6arqCbM2X+HCvhlyJLP8Yd0B6dQEt5bjC7qeG7w1oL+SvK97+76fjyYgGvLPTicXgz2NnuFbuGKGnTCD/rHXhoNhEpwEGXAXUMmT5V02clz9sf4PNA/TSpr6UUW1CuDGC6cEZzEtc7k+UQsORsbNRJ9TTYypPxZPEfTSkl8sXxfu89Lmkzjj8q/OSspcf1EUiylmEFM65UEnf73ONe4cTr2RjWSMVC176bs65mbSHR+hsHF5tQUZBoSihFKz5/E3SPtmRwcDS2DKpkXQq13gQ4/WR9K2tzYIpPh+bdOLHcG6PXe+fl/R1Ka2ci0vD11FijZfPE7znRYYqkHOmc63z+CFHzXICF2tRzr+Fe7HxSSS31g1laDmiIMQIApIYE9m9tXrJIdZR5Iw9D3MidAkeCHlNky2zPOkIpmB/5fnuBYz62fPOWeTe6YaTvr5GHAaF7YsgwP7ZJkGzYe9+gklfaE/hh8kvkbaytk9m4MKziwLzjQARAQABzSlCaW9ncmFwaCBTZWN1cml0eSA8c2VjdXJpdHlAYmlvZ3JhcGguY29tPsLBigQQAQgAPgWCZ1HQVAQLCQcICZADi/yVGCVuBAMVCAoEFgACAQIZAQKbAwIeARYhBCxMoCH3/8yTNeb9+wOL/JUYJW4EAACbbA/6AuDP7Cx03ovye5naY6AhRVx08aQ6bWAPMgkB0nbYb9zJ9F1EBoxeiV02zthO2P1TA+zEk0fAMSak4N5eimJqwjMj8A9FnYcuvPyzvh3xoyhAQ05oclnmBSiUe9BwpBBgbRjZXO2rWPX50oFLqMlGG075SMnbmEAhJFzwlT/JlZ7OJ+lATfs0yppBCxtonbrIW3nN9Ug9m8zbuTFXMuLxkkRcm9+NQMH0THSyLZvxjWV0ODcj23ltmFYeye2cE/igpqDibOC+RjNgBWTR9tq3E8nnlQxSE+4K2lQf6JgrPTwMfju3cYOqNiYTVr9Kc7IMWD9dDR2eR80fZOKklry+OqNfHGRwH4tPHhatLdOG2742WmmzPjNxWPhDdzdfrQFIcGtk5dlMGMGntv+1JyroUa7vdtyA8CUqiI0VqhGfaORyb4ocLe+qAcNIl7PHuccXtBaJ0ilHolxhHIjB1Va4vfWOCBzUz+XGhGpLKSw17V3vuGw7RNXtaWaKkXinjfSBCD2VF+hE6kw0/wJC2ncjTTVHQFqWvtz82u7VGLHwajQbRA6ks4uzsKD7nW0nq6A7DkdCXp1WcLKTwFgVWkiulBjeD2FADfXcvtqH+vE1chSsLHnF0wptgRoXTvDFXN2BbQLu/nP/hYAAFzZPlzAOQ6wjcRfBTebusC8fJnENBwHOwU0EZ1HQVAEQAMSZBjQXvRDibu+y2rT5rpni0dAjbFZxhu+2ahPqOIEyrTGdL0r562geGCI9j6mZHnSpVxilGsrL2K4uCfIwceRDshQ9yFphVfCfZhWj/wZOGSwCIAnhKsFNWDGxt6JmhsljPBwn7/mRiSjxNcuRftj7+CtbOpjPlD4Y/Uwp35FKpEQntfPZnYmuhm0GQcaUCVL60g/I/mlLmiyVtn25jEFrUkLJb4fFG66ODl53dgUR5whm9G3gTY79wgwId0p+twczA8pKb4whRCjlw39uR4Je/4PFBoEb18qLsJrBc/fsQpsnbjoTQJBvKchFKxg3p2tPZswNYkLMGANRpzcx5sQXXb1kM+eMO5TjYWP+XR5YbMkNHVTjVxUDKZRDWXqtr+cH0qX3MtIGgRTtVWko6iKlFjSgjU+EAobyvc/jLnsAHKA+R5tYP+ujJ5L229J5f8lsPDRmqBQA1eq99itVZA4lg2LPuxADyL0g57yov0Z/ys9c5pZg0u0AV6WDN/DUfR8qNsQjn0GzIT3uazWc3sXmgzhRK9VzwX5ZyQwOYtTNk7LQNgMBYyw3mJLfUD2HsVoF3RRcVUZXJdMcVkd8cbxYRYgZHFcrhxjz8mT8qAutQAeV//S99LCqb+ABdLg6y2x/LL4IfMTXH5sDbX6ZQ1QBZdg+9Qw3RYm03v6W4hNfABEBAAHCwXYEGAEIACoFgmdR0FQJkAOL/JUYJW4EApsMFiEELEygIff/zJM15v37A4v8lRglbgQAACOSEACMVgvL+NrDsRoZ3qRJZC0F0BbwNNdyMd7cq3lB8+1PJjUTMK1FH0RrG0cFWk/k2UZTNP3+joi2UfYviylfJOodskovCgo6MZFBm/lO7rytnU8t5BjuyLYf9XGYA/Scnz5gxbC7/Pl4Tx8Jk6CR3Ecx4fp20fZib68MB+LklYBrHfi4HdDlEnxqYQ7GlZ3GC/UToCqz1f7p0yaLgf6PjSzsheAxAh/wZZL/P7LM8x7th/sndLs9iGqzt4j8GVxQ+42BujMRYWYwQVp3qrcFpXuGwU/vuYU7Q2g1pKnwMjFJsRT3UAL8+uzuU+QSIWoTEPcqDzGqQfRGNlaheklLvuI8N5Xv82gZCJCm/uMs4XvmWBTU6N1YCzFgwq9dM+qpU2Jvw9Jz/SI3JBVDaoerifYMcbej/x7Nq1wZZBTTjPn8JNFQoPbgA56rhmfU+nEbZBNsGyhQSs1r2+VV21ggLNdjr0Ge2UD2Ao92X91iCWjGoqkI0m3ZkYdQRMdgHT3APrQBmXawIlvk+Op9zpyN26HjpIfcikmGt7pmDorXMh3l1eLqKz5agKBTq/kOv/Tuif28cLeaXLUTWzPsE/u4zzfBNal4g7PpZ+GVATjtxTT7GU2f6hMrE4RuCWDoJ6KrhZ1y/ASoutkhrNRKyTNlf4HnpZWTQyBxLyvt2TkSSWW49A===POGJ
-----END PGP PUBLIC KEY BLOCK-----
