LIVE
Security update: library patches applied Monitoring: uptime green New guidance: disclosure timelines Reminder: rotate credentials regularly Tip: enable MFA for all admins
bS
bataSutra
News, context & tools

Responsible Disclosure

We value the security community. If you’ve found a vulnerability, please report it responsibly. We’ll acknowledge, triage, and fix valid reports.

Scope Guidelines Safe Harbor

In scope

  • Hosts under *.batasutra.com and batasutra.com
  • Public web apps, dashboards, and APIs owned by bataSutra
  • Mobile experiences and PWA surfaces linked from our site

Out of scope

  • Third-party services, CDN edges, or domains we don’t control
  • Denial of service, volumetric attacks, or rate limiting tests
  • Password/credential stuffing without user consent
  • Reports without security impact (e.g., clickjacking on non-sensitive pages, missing SPF/DMARC on parked domains)

Guidelines for researchers

  • Do not access, modify, or exfiltrate data that isn’t yours; use test accounts.
  • Avoid privacy violations, data destruction, and service disruption.
  • Provide a clear write-up with impact, steps to reproduce, and a minimal PoC.
  • Give us reasonable time to fix before public disclosure.

How to report

  1. Send an email to justin@batasutra.com.
  2. Include summary, impact, affected asset/URL, and reproduction steps.
  3. Attach PoC (text/screenshot) and logs where relevant.
  4. For sensitive details, encrypt using our PGP fingerprint listed above.
Please avoid privacy violations, data destruction, or service disruption. Only test accounts you own or have permission to use.

Severity bands

Severity Description Examples
Critical Unauthenticated RCE, full DB read/write, auth bypass RCE; admin takeover; payment tampering
High Privileged data access or cross-tenant access IDOR exposing other users’ data; SSRF to internal metadata
Medium Limited data exposure or privilege escalation conditions Stored XSS (scoped); CSRF on sensitive action
Low Hardening issues with limited impact Clickjacking; verbose server banners

Safe Harbor

  • If you make a good-faith effort to comply with this policy, we will not pursue legal action.
  • We consider research under this policy authorized under the CFAA and similar laws.
  • If a third party initiates legal action, we will make it known your actions were conducted in accordance with this policy.

Program change log

2025-09-22
Static release build
Converted to static content; top/bottom tickers hydrate from Google Sheets (Headlines tab).
Patch cadence: weekly Security headers tightened Vuln scanner: no criticals Dependency audit: passed New safe-harbor text live