🛡️ Responsible Disclosure Policy
Last Updated: 2025-12-11
Our Approach
BigHole follows a responsible disclosure model. When we detect exposed
credentials, we:
- Verify the exposure exists in a public repository
- Verify the credential is active (minimal, read-only test)
- Privately notify the repository owner
- Wait 7 days before any follow-up
- Never publicly disclose specific findings
Notification Process
✅ What we send:
- Private security advisory (GitHub Security Tab)
- Email to repository owner (if available)
- Private issue (as last resort)
❌ What we DON'T send:
- The actual secret value
- Public issues or comments
- Notifications to anyone other than the owner
Reporting Vulnerabilities in BigHole
If you discover a vulnerability in BigHole itself:
- DO NOT open a public issue
- Email us or use GitHub's private security reporting
- Include:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Suggested fix (if any)
Safe Harbor
We consider security research conducted consistent with this policy to be:
- Authorized and legal
- Helpful to our mission
- Conducted in good faith
We will not pursue legal action against researchers acting in good faith.
Scope
| In Scope |
Out of Scope |
- BigHole application
- Our API endpoints
- Our notification system
|
- Third-party services
- Social engineering
- Physical attacks
- DoS attacks
|
Recognition
We maintain a Hall of Fame for security researchers who help improve BigHole (with their permission).
Legal Basis
Our scanning activities are based on:
- Public Information: All scanned code is publicly accessible
- Good Faith: Our intent is to help, not harm
- Minimal Access: We only verify key validity with read-only operations
- No Exploitation: We never use discovered credentials for unauthorized access
Contact
For disclosure-related inquiries, please use our abuse report form or open a
private security advisory on GitHub.
← Back to Home