A vulnerability disclosure policy (VDP), also referred to as a responsible disclosure policy, describes how an organization will handle reports of vulnerabilities submitted by ethical hackers. A VDP must thus be easily identifiable via a simple way, a security.txt notice.

Contact: mailto:security@biya.com.ng
Contact: https://biya.com.ng/get-started
Expires: 2027-12-31T23:59:59.000Z
Preferred-Languages: en
Canonical: https://biya.com.ng/.well-known/security.txt
Policy: https://biya.com.ng/security-policy
Hiring: https://biya.com.ng/careers

# Security Disclosure

If you discover a security vulnerability in Biya, please report it to us responsibly.

## Reporting Process

1. Email security@biya.com.ng with details of the vulnerability
2. Include steps to reproduce the issue
3. Allow us reasonable time to address the issue before public disclosure
4. We will acknowledge receipt within 48 hours

## Scope

- biya.com.ng and all subdomains
- BiyaBot on all platforms (Telegram, Slack, Messenger, etc.)
- API endpoints and integrations
- Mobile applications

## Out of Scope

- Third-party services we integrate with
- Social engineering attacks
- Physical security issues
- Denial of Service (DoS) attacks

## Safe Harbor

We support responsible disclosure and will not pursue legal action against security researchers who:
- Make a good faith effort to avoid privacy violations and data destruction
- Report vulnerabilities promptly
- Do not exploit vulnerabilities beyond what is necessary to demonstrate the issue

Thank you for helping keep Biya and our users safe!