Maintaining the security and integrity of our software, services, and user data is a top priority at Bayat Games. We welcome and appreciate the contributions of external security researchers in helping us identify and address potential vulnerabilities.
This security policy aligns with our Secure Coding Guidelines and Vulnerability Management Standards as defined in the Bayat Development Conventions.
We encourage you to report security issues in any software, service, or website governed by Bayat Games.
Please note that some projects may include features that perform inherently unsafe operations by design (such as plugins that execute arbitrary code or options with known security implications). When this behavior is explicitly documented, it is not considered a security vulnerability.
While there are no rigid criteria for determining whether an issue qualifies as a security vulnerability or a standard bug, we prefer that you err on the side of caution. When in doubt, please submit a security report.
Security issues should be reported by email to security@bayat.io.
Our security team will acknowledge receipt of your report within 48 hours. You will receive a more detailed response within 96 hours, outlining our assessment of the issue and any next steps.
For coordinated vulnerability disclosure, we will create a GitHub Security Advisory to discuss the issue internally and, when appropriate, invite you to participate in the advisory process.
This process follows our DevSecOps Practices and Incident Response Guidelines.
Bayat Games provides safe harbor protection for security researchers who:
- Make good faith efforts to avoid privacy violations, destruction of data, and disruption or degradation of our services
- Only interact with accounts you own or have explicit permission to access. If you inadvertently encounter Personally Identifiable Information (PII), immediately stop your activity, contact us, and delete any locally stored information
- Provide us with reasonable time to investigate and address vulnerabilities before any public disclosure
- Comply with all applicable laws and regulations
We consider activities conducted in accordance with this policy to be "authorized" and will not pursue legal action or file complaints with law enforcement for such activities. We will also provide assistance if legal action is initiated by a third party against individuals complying with this policy.
Before engaging in any security research activities that might fall outside the scope of this policy, please contact us first.
- Provide detailed reports with reproducible steps and clearly defined impact assessment
- Submit one vulnerability per report for clarity and focused resolution
- Do not engage in social engineering attacks (phishing, vishing, smishing, etc.)
- Follow our Data Protection Guidelines when handling sensitive information
All Bayat projects adhere to comprehensive security standards as defined in our Bayat Development Conventions, including:
- Secure Coding Practices
- Authentication Standards
- Data Protection Guidelines
- Supply Chain Security Measures
- SAST/DAST Implementation
For security inquiries or to report vulnerabilities, please contact: security@bayat.io