Responsible Vulnerability Disclosure Policy

1. Purpose and Commitment

At BidMachine Inc., the confidentiality, integrity, privacy, and availability of our systems and the data we process are fundamental to our business and to the trust our partners place in us.

We recognize the value of independent security research and encourage responsible reporting of vulnerabilities. This policy establishes a clear framework for identifying, reporting, and addressing potential security vulnerabilities in our products, services, or infrastructure.

Our commitment is to:

  • Provide a defined and lawful process for vulnerability reporting.
  • Respond promptly and transparently to legitimate findings.
  • Foster collaboration with the security community in good faith.
  • Ensure compliance with all applicable laws, regulations, and contractual obligations.

2. Scope

This policy applies to all BidMachine-owned systems, services, APIs, and applications operating under the bidmachine.io domain and any associated subdomains or environments under BidMachine’s operational control.
Vulnerabilities related to partner or third-party platforms integrated with BidMachine should be reported directly to those providers.

3. Reporting Procedure

Researchers, partners, or users who identify a potential vulnerability are encouraged to report it responsibly and confidentially to the BidMachine Security Team.

Report submission:
[email protected]

Your report should include:

  • A detailed description of the vulnerability.
  • Affected system, endpoint, or component.
  • Steps to reproduce the issue, and potential impact.
  • Proof-of-concept or evidence supporting the finding.

4. Guiding Principles for Researchers

Researchers are expected to act in good faith and comply with the following:

  • Do not exploit or use the vulnerability to access, alter, or exfiltrate data.
  • Avoid any action that may cause service disruption or degrade system performance.
  • Refrain from public disclosure until BidMachine has completed remediation and explicitly authorized publication.
  • Comply with all applicable laws and act with due care when handling potentially sensitive data.

Researchers following these principles will be protected under BidMachine’s Good Faith Safe Harbor (see Section 8).

5. BidMachine’s Response Process

Upon receipt of a valid report, BidMachine will:

  1. Acknowledge receipt of the submission within 5 business days.
  2. Validate and triage the report based on severity and potential impact.
  3. Assign ownership within the Security or Engineering team for remediation.
  4. Provide periodic updates to the reporter, when possible.
  5. Deploy a fix or mitigation in a timely manner consistent with risk severity.
  6. Issue a closure notice to the reporter once remediation is complete.

Where appropriate, BidMachine may publish post-remediation acknowledgments or summaries of resolved vulnerabilities to promote transparency and trust

6. Internal Governance

This policy is managed by the Compliance & Security Function, which coordinates with:

  • Engineering (for technical validation and remediation),
  • Legal (for regulatory and contractual obligations), and
  • Communications (for any necessary external disclosure or notification).

Incident response and vulnerability management activities are aligned with BidMachine’s overarching Information Security Policy and SOC 2 Type II control framework.

7. No Compensation Policy

BidMachine currently operates a non-monetary disclosure program.
We do not offer financial rewards or bounties for reported vulnerabilities but may, at our discretion, acknowledge researchers who contribute responsibly to improving our security posture.

8. Legal Safe Harbor

BidMachine will not initiate legal action against individuals who:

  • Submit reports in good faith under this policy,
  • Avoid privacy violations or unauthorized data access, and
  • Provide sufficient detail to enable remediation without causing harm.

We reserve the right to take appropriate legal action in cases of intentional exploitation, misuse, or actions that cause actual harm to users, systems, or data.

9. Review and Updates

This policy is reviewed annually by the Compliance & Security Function to ensure alignment with evolving security standards, legal requirements, and industry best practices (including ISO/IEC 29147 and ISO/IEC 30111).

10. Contact

All vulnerability reports and related correspondence should be directed to:
[email protected]

For general privacy or compliance inquiries, please contact:[email protected]

© 2025 BidMachine Inc.
Privacy policyTerms of ServiceCCPA Privacy PolicySDK License AgreementResponsible Vulnerability Disclosure Policy
1640 Boro Place, 4th Floor
McLean, Virginia 22102, USA
Member of the Interactive
Advertising Bureau