Responsible disclosure policy

1. Introduction

The security of the Brake Point platform — and of the telemetry data entrusted to it — is a priority. This policy describes how to report a vulnerability responsibly, what we commit to in return, and credits the researchers who have contributed to improving our security.

It applies to the following surfaces:

www.brakepoint.io (public marketing site)
app.brakepoint.io (web application)
api.brakepoint.io (REST API)
Brake Point iOS and Android applications

2. How to report a vulnerability

Send an email to security@brakepoint.io with the following:

Description of the vulnerability (type, OWASP class if relevant)
URL or endpoint affected
Reproduction steps (proof of concept, curl commands, screenshots)
Estimated impact (read/write, data accessible, authentication prerequisites)
Your contact info (name or pseudonym to credit, if applicable)

An RFC 9116 compliant /.well-known/security.txt file is also available.

3. Our commitments

Acknowledgement within 3 business days
Assessment and triage within 10 business days
Fix deployed within a window aligned with severity:
- Critical / High: 30 days
- Medium: 60 days
- Low: 90 days
Public credit on this page after the fix ships (anonymous credit available on request)
No legal action against researchers who follow this policy

4. Scope

4.1 In-scope

Authentication, session, or access control vulnerabilities
Injections (SQL, NoSQL, command, template)
Cross-Site Scripting (XSS) with demonstrated JavaScript execution
Cross-Site Request Forgery (CSRF) on sensitive actions (password change, account deletion, billing changes)
Server-Side Request Forgery (SSRF), Local/Remote File Inclusion (LFI/RFI)
Insecure Direct Object References (IDOR) allowing access to another user's data
Exposure of secrets, API keys, or credentials
Privilege escalation (PILOT → TRAINER → ADMIN)
Bypass of Stripe payment flow or quota limits

4.2 Out-of-scope

Missing HTTP headers without a demonstrated exploit (CSP, HSTS, X-Frame-Options on their own — useful, but logged for internal hardening)
Self-XSS, clickjacking on public pages without a sensitive action
User enumeration on signup / login endpoints by design (BetterAuth returns the same status)
CSRF on non-sensitive actions (language toggle, logout)
Open redirects with no demonstrated impact
Email spoofing against subdomains with no MX
Vulnerabilities requiring physical access or compromise of the user's device
Denial of service (DoS, DDoS) attacks — do not attempt
Vulnerabilities in third-party dependencies with no demonstrated exploit on our infrastructure
Findings from automated scans without manual validation

5. Rules of engagement

Researchers commit to:

Not disrupting the service nor degrading the experience of other users
Not accessing, modifying or deleting data that doesn't belong to you — use your own account for testing
Not practicing social engineering against our employees, contractors or users
Not testing against Stripe, Brevo or Scaleway infrastructure beyond Brake Point's public endpoints
Not publicly disclosing the vulnerability before the fix ships (coordination required — 90 days default)
Limiting automated requests to a reasonable rate (≤ 5 req/s)

6. Rewards

Brake Point does not currently run a paid bug bounty program. We offer:

Public credit on this page (with link and vulnerability category)
Named acknowledgement in the fix commit and CHANGELOG
Brake Point swag (stickers, t-shirt) for notable contributions — on request, while supplies last
For exceptional contributions: extended free access to the Pro plan

This policy may evolve into a paid program after the official launch (end of November 2026).

7. Acknowledgements

We publicly thank the following researchers for contributing to Brake Point's security:

No validated report yet. Be the first.

8. Contact

Vulnerability reports: security@brakepoint.io

Data Protection Officer (DPO): privacy@brakepoint.io

Postal address:

Ethan Consulting
10 allées des boutons d'or
78180 Montigny-le-Bretonneux
France