Responsible Disclosure Policy
Last updated · 24 June 2026
BMETAL welcomes reports from security researchers. This policy explains how to report a vulnerability to us, what is in scope, and what you can expect in return. We are committed to working with the security community in good faith to keep our customers and infrastructure safe.
1. How to report
Email security@bmetal.ai with a clear description of the issue. Where possible, please include: the type of vulnerability, the affected asset or endpoint, step-by-step reproduction details, proof-of-concept code or screenshots, and the potential impact. Encrypt sensitive details where appropriate; you may request our PGP key in your initial message.
Please do not report security vulnerabilities through public channels, social media, or support tickets. Use security@bmetal.ai so we can triage promptly and confidentially.
2. Scope
In scope: BMETAL’s public websites, APIs, and services that we operate. Out of scope items include, without limitation:
- Findings from automated scanners without a demonstrated, exploitable impact.
- Denial-of-service, volumetric, or resource-exhaustion testing.
- Social engineering, phishing, or physical attacks against our staff, users, or facilities.
- Reports affecting unsupported browsers or third-party services we do not control.
- Missing best-practice headers or configurations without a concrete security impact.
3. Safe harbor
If you make a good-faith effort to comply with this policy during your research, we will consider your activity authorized, we will not pursue or support legal action against you for that research, and we will work with you to understand and resolve the issue quickly. This authorization does not extend to actions that are inconsistent with this policy, that intentionally harm BMETAL or its customers, or that violate applicable law.
4. Rules of engagement
- Only test against accounts and assets you own or have explicit permission to test.
- Do not access, modify, or destroy data that is not yours, and minimize the data you access to what is necessary to demonstrate the issue.
- Stop testing and report immediately if you encounter sensitive data (for example, personal data or credentials).
- Do not degrade the availability or integrity of the Services for others.
- Give us a reasonable opportunity to remediate before any public disclosure, and coordinate timing with us.
5. What you can expect from us
- Acknowledgement of your report, typically within three (3) business days.
- A timely triage and an honest assessment of validity and severity.
- Regular updates on remediation progress for valid reports.
- Credit for your contribution, with your permission, once an issue is resolved.
We do not currently operate a paid bug-bounty program, but we are grateful for responsible reports and will recognize researchers who help us improve. This may change; check this page for updates.
6. Contact
Reach our security team at security@bmetal.ai. For urgent matters affecting customer safety, mark your message “URGENT” in the subject line.
Questions about this document? Contact legal@bmetal.ai.
BMETAL, Inc. · A Delaware corporation · San Francisco, California, USA.