A vulnerability disclosure policy (VDP), also referred to as a responsible disclosure policy, describes how an organization will handle reports of vulnerabilities submitted by ethical hackers. A VDP must thus be easily identifiable via a simple way, a security.txt notice.

# security.txt for BlueBear (https://www.bluebear.nl)
# We take security seriously. Like, wake-up-in-the-middle-of-the-night-checking-logs seriously.
# If you've found a vulnerability, we'd rather hear it from you than from the front page of Hacker News.

# BlueBear is a small but sharp SaaS team. Security is baked into how we build, not bolted on afterwards.
# We're doing our best to keep things secure, respond quickly, and work constructively with the security community.
# Be reasonable, be respectful, and we'll be the same.

# This file is identical across all BlueBear services and domains.
# Each domain hosts a local copy to ensure availability and isolation.
# Please excuse any brief synchronisation hiccups that, of course, definitely never happen.

Contact: mailto:security@bluebear.nl
Contact: https://www.bluebear.nl/security
Policy: https://www.bluebear.nl/security/responsible-disclosure
Preferred-Languages: nl, en
Canonical: https://www.bluebear.nl/.well-known/security.txt

# We kindly ask:
# - No ransom notes (not even polite ones).
# - Don't publicly disclose the issue before we've had a chance to fix things.
# - Don't test on production. We can provide a test environment if you feel like exploring.
# - Don't exploit the issue for fun/profit/chaos/fame. You can help us fix it instead.
# - Use your best judgement. If you think "should I be doing this?", maybe stop and ask us.

# Response timeline:
# - We aim to respond within 2 business days.
# - Triaging and mitigation will generally be possible in under a week.
# - We'll keep you in the loop. We're not ghosts (unless it's Halloween).

# Safe Harbour:
# We won't take legal action against research that is conducted in good faith and in line with the intent of this file and our policy.
# TL;DR: Be ethical, be responsible, and don't be a jerk.

# Bonus Points:
# If you find a bug with a single quote and some clever SQL, we're both impressed and a little scared.
# If it crashes the site, please *don't* try it again just to prove it wasn't a fluke.

# Remember: A Blue Bear is a friendly bear, until you poke it in production.

Expires: 2026-03-02T00:00:00Z