Vulnerability Disclosure
If you found a hole, tell us before anyone else does.
We'd rather a good-faith researcher warn us than find out some other way. This page is the formal invitation to do that without fear of legal consequences.
Last updated: July 3, 2026
In scope
beoriginal.id (site and public API), the brand panel, and the label verification flow.
Out of scope
Social engineering our team, denial-of-service attacks, physical access to our offices or the label production chain, and vulnerabilities in third-party services (Vercel, Neon, Google, Cal.com) — report those directly to them.
Ground rules (safe harbor)
If your research is in good faith, follows these rules, and avoids damaging real data or disrupting the service, we won't take legal action against you or report your activity, even if it technically crosses a line in our Acceptable Use policy.
- Don't access, modify or exfiltrate other people's or brands' data beyond the minimum needed to demonstrate the issue.
- Don't use the finding for extortion or public disclosure before giving us reasonable time to fix it.
- Stop and report to us as soon as you've confirmed the issue — don't keep digging.
How to report
Email beo@beoriginal.id with: what you found, how to reproduce it, and the impact you believe it has. Include a minimal proof of concept if you can.
What to expect from us
We acknowledge receipt within 72 hours. We'll let you know once it's fixed. We don't offer a paid bug bounty right now, but if you help us, we'll credit you publicly if you'd like.
Changes
If this policy changes, we update it here.