Security
Reporting a vulnerability
We take the security of Bossa Research, Bossa Labs, and our participants' data seriously. If you believe you've found a security vulnerability, we want to hear from you — and we'll work with you to confirm and fix it.
How to report
Email security@bossaresearch.com with a clear description. Our machine-readable contact is also published at /.well-known/security.txt (RFC 9116).
Please include:
- The type of issue and the affected URL, endpoint, or component.
- Steps to reproduce, proof-of-concept, or a short screen recording.
- The impact you believe it has, and any suggested remediation.
Our commitment
- We aim to acknowledge your report within 3 business days.
- We'll keep you updated as we investigate and remediate.
- We won't pursue legal action for good-faith research that follows this policy.
Please do
- Give us reasonable time to fix an issue before disclosing it publicly.
- Only test against your own accounts or data; never access others' personal data.
- Avoid privacy violations, service disruption (DoS), spam, and data destruction.
Scope: bossaresearch.com, app.bossaresearch.com, and
participante.bossaresearch.com. Third-party services we use are governed by their own
programs.