Security Policy

Effective 8 May 2026 · Updated annually

Bedrock Security Advisory Group LLC ("Bedrock") operates the bedrocksafe.com domain and the systems referenced from it. This page documents how we receive and respond to coordinated disclosure of security issues, in accordance with RFC 9116.

To report a security issue: email security@bedrocksafe.com (preferred) or security@bedrocksafe.com. Please include reproduction steps and the affected URL or component. We acknowledge within five business days.

Public-channel handling discipline. Bedrock's public website, email, and contact forms are not approved channels for classified information, Controlled Unclassified Information (CUI), export-controlled technical data (ITAR/EAR), source-selection information, proprietary third-party data, or sensitive government information. Public submissions should remain unclassified and non-CUI. If a matter requires controlled handling, contact Bedrock by phone to establish the appropriate path before transmitting details.

Scope

This policy covers:

The public website at bedrocksafe.com and any subdomain.
Public marketing assets, capability statements, and product pages we publish.
The Bedrock-operated tooling we make available to clients on bedrocksafe.com (when applicable).

This policy does NOT cover client systems, classified networks, customer environments, third-party services, or anything Bedrock accesses under contract on a customer's behalf. Issues found in those contexts must be reported to the relevant system owner directly, not to Bedrock.

Coordinated Disclosure

We ask researchers to:

Email the address above before public disclosure.
Allow at minimum 60 days from acknowledgment for remediation before any public write-up. Critical issues we'll discuss with you on a shorter timeline.
Avoid actions that degrade availability for other users (no DoS, no automated exploit chains, no data exfiltration beyond what's needed to demonstrate the issue).
Limit reproduction to what is necessary; do not access or retain data belonging to other parties.

In exchange we commit to:

Acknowledging your report within five business days.
Providing a status update within fifteen business days.
Not pursuing legal action against good-faith researchers who follow this policy.
Crediting researchers (with consent) on this page upon resolution.

Out of Scope

Reports concerning the following are explicitly out of scope and will typically be closed without action:

Self-XSS or attacks requiring the user to compromise their own browser or device.
Missing optional HTTP headers (informational; we already enforce HSTS, content-type-options, frame-options, referrer-policy, and permissions-policy at the edge).
SPF/DKIM/DMARC observations on subdomains we do not send mail from. We send mail from bedrocksafe.com apex only.
SSL/TLS configuration suggestions where the existing configuration meets or exceeds Mozilla intermediate-compatibility profile.
Third-party CDN or registrar issues we do not operate.
Vulnerabilities requiring rooted devices, physical access, or pre-existing compromise of the user's account.

What we will NOT do

We do not operate a paid bug bounty program. Researcher recognition is on this page, with consent, at our discretion.
We do not negotiate hush settlements or commit to non-disclosure beyond the coordinated disclosure window.
We do not accept reports under coercion or extortion. Any such attempt will be referred to law enforcement.

Encryption

If you require an encrypted channel for sensitive disclosure, request a PGP key in your initial unencrypted email and we will respond with one. We do not currently publish a static PGP key on this domain to avoid long-lived key-rotation drift.

Provenance

Bedrock Security Advisory Group LLC. UEI H323F8L44MV5. CAGE 01R17. Service-Disabled Veteran-Owned Small Business (SDVOSB), VetCert verified. SAM.gov registration active. Operating from Oklahoma, United States.

Bedrock Security Advisory Group LLC · bedrocksafe.com · security.txt