If you have found a security issue, we want to hear from you.
Burna AI welcomes responsible disclosure of security vulnerabilities affecting the public website, the platform, or our infrastructure. The process below is designed to be fast, transparent, and fair to researchers acting in good faith.
01What we are looking for
Reports about:
- Authentication, session management, and authorization vulnerabilities.
- Injection flaws (SQL, NoSQL, command, LDAP).
- Cross-site scripting and cross-site request forgery.
- Insecure direct object references and server-side request forgery.
- Cryptographic weaknesses and insecure key handling.
- Sensitive data exposure.
- Server-side vulnerabilities (RCE, file upload, deserialization).
- Business logic flaws that could expose customer data.
- Vulnerabilities in third-party dependencies that materially affect Burna AI.
02What is out of scope
- Findings from automated scanners that do not include a working proof of concept.
- Best-practice recommendations without a specific vulnerability.
- Social engineering of Burna AI staff, customers, or partners.
- Denial of service attacks.
- Spam and content abuse on public forms.
- Physical attacks on Burna AI facilities or staff.
- Vulnerabilities requiring physical access to a victim’s device.
03How to report
Email security@burna.ai with:
- A short description of the vulnerability.
- The affected URL, endpoint, or system.
- Reproduction steps with screenshots or video where helpful.
- The potential impact.
- Your name and any handle you would like credited (or “anonymous” if preferred).
For PGP-encrypted reports, email security@burna.ai first and request the current public key. The PGP key URL will be published at /.well-known/pgp-key.txt once the bug bounty program launches in 2027.
04What we commit to
- Acknowledgement within 2 business days of receipt.
- Substantive response within 5 business days with our initial assessment.
- Remediation within 30 days for confirmed issues where feasible; longer timelines communicated transparently.
- Public creditto the reporter on resolution, with the reporter’s preferred name or handle (or anonymized if requested).
- Safe harbor: we will not pursue legal action against researchers acting in good faith under this policy.
05What we ask from you
- Make a good faith effort to avoid privacy violations, service disruption, and destruction of data during your research.
- Use only the minimum scope necessary to demonstrate the vulnerability.
- Do not access, modify, or delete customer data; if you encounter PHI or other sensitive data, stop and report immediately.
- Give Burna AI reasonable time to remediate before public disclosure.
- Do not perform testing that affects the integrity or availability of the platform.
06Hall of Fame
Researchers who report confirmed vulnerabilities under this policy are credited on resolution. Credits include the researcher’s preferred name or handle, the date of disclosure, and a brief summary of the issue category. Researchers may request anonymization or omission at any point before publication.
The Hall of Fame will be published on this page once the first credited disclosure is resolved.
07Bug bounty roadmap
A formal bug bounty program is in development for 2027. Until then, Burna AI offers Hall of Fame recognition and, at our discretion, custom Burna AI swag for material findings. Once the bounty program launches, retroactive payment for prior reports will be considered on a case-by-case basis.
08Contact
For security reports and PGP key requests, reach the inboxes below. The canonical machine-readable contact surface is /.well-known/security.txt per RFC 9116.
Security reports
Coordinated disclosure for good-faith researchers. Safe harbor applies to all reports made under this policy.