Security
Vulnerability disclosure policy
This document describes how to report a vulnerability, our response SLA, and the guarantees we extend to security researchers. Machine-readable version — /.well-known/security.txt.
How to report a vulnerability
Email security@buyka.io. Supported languages: English, Russian. The PGP key will be published at https://buyka.io/pgp-key.txt before the production launch.
Please include:
- A description of the issue and potential impact.
- Step-by-step reproduction or PoC code.
- Affected component (apps/web, apps/api, specific endpoint).
- Your name / handle for the acknowledgements page — optional.
Please do not open a public GitHub issue. We coordinate disclosure to give us time to ship a fix before details go public.
Response SLA
| Severity | First response | Triage | Target fix |
|---|---|---|---|
| Critical | 24h | 48h | 7 days |
| High | 48h | 5 days | 30 days |
| Medium | 5 days | 14 days | 90 days |
| Low | 14 days | 30 days | 180 days |
Coordinated public disclosure happens 90 days after your report — sooner if we ship a fix earlier, later only with your agreement.
In scope
- buyka.io and all subdomains
- apps/web (Next.js) and apps/api (NestJS) in this repo
- Auth flows, RFQ/Deal flows, payments (Stripe webhook), KYC, file uploads, admin endpoints
- Mobile-web responsive UI
- WebSocket gateway (/chat)
Out of scope
- Reports without a working PoC
- Social engineering / phishing of Buyka employees or users
- Physical attacks on offices / datacenters
- DoS / DDoS / brute force / rate-limit churning
- Self-XSS (requires victim to paste payload into devtools)
- Findings from automated scanners without manual triage
- Email spoofing without authenticated bypass (DKIM/SPF reports classified as Low)
- Missing security headers without an exploitable consequence
Safe harbor
If you make a good-faith effort to follow this policy we will:
- Not pursue legal action for reasonable testing.
- Not contact law enforcement.
- Work with you on coordinated disclosure.
«Good faith» means:
- You don't access more data than necessary to demonstrate the issue.
- You don't degrade service for other users.
- You don't keep, share, or sell data accessed through the vulnerability — you destroy it after demonstrating the bug.
- You give us a reasonable window to fix the issue before public disclosure.
Bug bounty
A monetary bug bounty program is not active yet. We plan to launch a private HackerOne programme in Phase 2 after MVP UAT and external pen-test. Roadmap — docs/security/bug-bounty-roadmap.md.
In the meantime we offer:
- Acknowledgement at /security-acks
- Buyka swag once we have merchandise to ship.
- A direct line to our security mailing list when bounties go live.
