Vulnerability Disclosure
Last updated: July 2026
We welcome security reports
Security is our business, and we hold ourselves to the standard we test others against. If you believe you have found a vulnerability in this website, in PhishSight, or in any other BugsLife system, we want to hear from you — and we appreciate the effort it takes to report responsibly.
How to report
Email [email protected] with the subject line"Vulnerability report". Please include:
- A description of the issue and where you found it (URL, endpoint, or product)
- Steps to reproduce, a proof of concept, or supporting screenshots
- The potential impact, as you understand it
- How you'd like to be credited, if the report is valid (optional)
A machine-readable version of this policy is published at/.well-known/security.txt (RFC 9116).
What you can expect from us
- Acknowledgement of your report within 48 hours
- An honest assessment and regular updates while we investigate
- A fix or mitigation as quickly as severity warrants
- Credit for your finding, if you'd like it, once resolved
We do not currently run a paid bug bounty program, but we take every good-faith report seriously and will say thank you properly.
Good-faith research
We will not pursue legal action against researchers who act in good faith: make a genuine effort to avoid privacy violations, data destruction and service disruption; only access data needed to demonstrate the issue; give us a reasonable time to remediate before public disclosure; and do not exploit a finding beyond what is necessary to prove it exists.
Out of scope
- Denial-of-service or volumetric testing of any kind
- Social engineering or phishing of BugsLife staff or clients
- Physical attacks against offices or infrastructure
- Findings from automated scanners without a demonstrated impact
- Third-party services we use but do not operate (report those to the vendor)