Effective July 16, 2026.
Botdoc builds Secure Digital Transport for some of the most sensitive data workflows in banking, healthcare, education, and automotive retail. Security research makes our platform stronger. We welcome good-faith efforts to find and report vulnerabilities in our products, and we commit to working with researchers openly, quickly, and without legal threats.
Botdoc conducts ongoing internal vulnerability scanning and security assessments. External researcher reports complement our existing internal security program.
This policy describes what systems are in scope, how to report a finding, what you can expect from us, and the protections we extend to researchers acting in good faith. This policy fulfills Goal 5 of the CISA Secure by Design Pledge, which Botdoc has signed.
In scope:
botdoc.io and subdomains operated by Botdoc
app.botdoc.io (the Botdoc platform)
The Botdoc API
securemfp.io and Botdoc-operated product sites
Out of scope:
Denial of service (DoS/DDoS) testing of any kind
Social engineering of Botdoc employees, partners, or customers
Physical attacks against Botdoc facilities or infrastructure
Third-party services and platforms not operated by Botdoc, including customer systems that receive data via Botdoc
Automated scanning at volumes that degrade service for other users
Spam, phishing simulation, or attacks requiring stolen credentials
When conducting research under this policy please:
Do not access, modify, or delete data that does not belong to you
Do not demand payment in exchange for vulnerability information
Use only test accounts and do not test against real client data
Keep all findings confidential until Botdoc has had reasonable time to respond and remediate
Act in good faith and in compliance with all applicable laws
Email support@botdoc.io with the subject line "Vulnerability Report" and include:
A description of the vulnerability and its potential impact
Steps to reproduce (proof-of-concept, screenshots, or scripts help)
The URL, endpoint, or component affected
Your contact information for follow-up
Please do not include real customer data in reports. If you encounter sensitive data during research, stop, do not download or retain it, and report it immediately.
Every report that follows the submission guidelines receives an acknowledgment. Due to the volume of reports we receive, however, Botdoc is unable to investigate or provide an assessment response for every submission. We will not provide assessment responses to reports that:
Do not follow our submission guidelines above
Contain unvalidated vulnerabilities without a proof of concept demonstrating actual impact
Consist of low-value findings commonly identified by automated scanning tools, including SPF records, DMARC records, and TLS/HTTPS algorithm or cipher configurations
Rely on brute force, social engineering, or physical access to exploit
Are limited to non-critical public website components with no impact on our product, infrastructure, or user data
Duplicate a finding that has already been reported
Acknowledgment within 3 business days of your report.
Investigation and validation of all good-faith reports that meet our submission guidelines.
An initial assessment within 10 business days, including whether we consider it a valid vulnerability and its severity.
Regular status updates until resolution.
Credit for your finding, if you want it, once the issue is resolved.
If you make a good-faith effort to comply with this policy during your research, we will consider your research authorized. We will not recommend or pursue legal action against you for your research, and if a third party initiates legal action against you for activity conducted in accordance with this policy, we will formally notify the relevant parties that your actions were conducted in compliance with this policy and that we authorized your research.
Good-faith security research conducted in accordance with this policy is an authorized exception to the security testing prohibitions in our Acceptable Use Policy.
Good faith means: you access only what is minimally necessary to confirm the existence of a vulnerability; you avoid privacy violations, data destruction, and service degradation; you do not access or retain data beyond what is needed to demonstrate the vulnerability; you give us reasonable time to remediate before any public disclosure; and you do not exploit a finding beyond proof of concept.
We ask for 90 days from acknowledgment before public disclosure, or a mutually agreed timeline if remediation requires longer. We support coordinated public disclosure once a fix is deployed and will work with you on timing and content.
This is a disclosure policy, not a bounty program. We do not currently offer monetary rewards. We do offer acknowledgment, credit, and our commitment to fix what you find.
Email support@botdoc.io with the subject line "Vulnerability Report".