Responsible Disclosure
We take security seriously. If you discover a security vulnerability in BOTCHA, please report it responsibly.
Reporting a Vulnerability
Email: security@binary.ly
Please include:
- Detailed description of the vulnerability
- Steps to reproduce
- Potential impact
- Your contact information (optional)
What We Ask
- Do not publicly disclose the vulnerability before we've addressed it
- Do not exploit the vulnerability beyond proof-of-concept testing
- Do not access, modify, or delete data in the database
- Do give us reasonable time to fix the issue (14-90 days)
What We'll Do
- Acknowledge receipt within 48 hours
- Investigate and validate the report
- Keep you informed of our progress
- Credit you in our changelog (if desired)
- Fix critical vulnerabilities within 30 days
Scope
In Scope
- botcha.binary.ly domain
- BOTCHA API endpoints
- Challenge generation and verification
- Database security
Out of Scope
- Social engineering
- Physical attacks
- Denial of service (DoS)
- Spam or content issues
Security Measures
Current security implementations:
- HTTPS/TLS encryption
- Input validation and sanitization
- HMAC-based challenge verification
- Steganographic verification codes
- Time-bound challenges
- Rate limiting (planned)
Known Limitations
As a public beta, we acknowledge these limitations:
- No formal security audit conducted
- Database resets may occur
- Limited monitoring and alerting
- Experimental verification methods
Bug Bounty
Currently, we do not offer a formal bug bounty program. However, we deeply appreciate security researchers' efforts and will:
- Publicly acknowledge contributions (with permission)
- Consider bounties for critical findings on a case-by-case basis
Security Updates
Security patches will be:
- Deployed as soon as possible
- Documented in our changelog
- Announced on the main page (if critical)