Skip to main content

Responsible disclosure

How to report a security issue

We treat security reports as a first-class channel. Below is what we promise, what's in scope, and how to reach us.

Acknowledged

< 24 hours

Triaged

< 3 business days

Critical fixed

< 14 days

How to report

Email security@biglawbear.com with:

  • A description of the issue
  • Steps to reproduce
  • The impact you believe it has
  • Optional: your name + handle if you'd like an acknowledgment

Please do not include real candidate or firm data in the report. If you stumbled into something while testing, describe what you saw without copying the contents.

Safe harbor

Big Law Bear will not initiate or recommend legal action against researchers who:

  1. Make a good-faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our services
  2. Only access an account that you own or that you have explicit permission from the account holder to access
  3. Don't disclose the issue publicly until we've had a chance to address it (we coordinate disclosure with you on timelines)
  4. Don't access more data than necessary to demonstrate the issue, and immediately delete any data you do access
  5. Don't use the issue to access another user's data

If your testing accidentally violates these guidelines, tell us, we'd rather hear about it than discover it.

In scope

The following surfaces are in scope:

  • *.biglawbear.com , production
  • The mobile-web experience on the same domains
  • The public APIs (anything reachable from a browser without authentication)
  • The candidate-facing offer-letter signing flow
  • Email + webhook-driven flows (via observable side-effects)

Out of scope:

  • Third-party services we depend on (Supabase, Resend, Stripe, etc.), please report to them directly
  • Social engineering of staff or customers
  • Physical access to our offices or hardware
  • Volumetric / DoS attacks on production
  • Reports based solely on automated scanner output without a working proof-of-concept
  • Self-XSS that requires the victim to paste code into the dev console
  • Issues in third-party apps or extensions installed by the user

Severity guidance

We use the following severity rubric to set response SLAs. The category is ours to set, but feel free to suggest one in your report.

  • Critical, full account takeover; mass data exfiltration; service disruption affecting all users. Fixed in < 14 days.
  • High, single-account takeover; partial data exfiltration; bypass of payment / billing. Fixed in < 30 days.
  • Medium, unauthenticated access to non-sensitive data; CSRF on a low-impact action; stored XSS in a self-only context. Fixed in < 90 days.
  • Low, minor info disclosure; missing security headers; rate-limit gaps without observable damage. Fixed when next batch ships.

Bug bounty

Big Law Bear does not currently run a paid bug bounty program. We are a small team and pay our security partners through a structured external review every six months.

We do offer two things to researchers who report issues in good faith:

  • Public acknowledgment on this page (with your name + handle if you'd like)
  • Big Law Bear swag, t-shirt, sticker pack, and a personal note from the team

If we ever scale to a paid program, we'll update this page. For now: your work matters to us, and we'll honor it publicly.

Acknowledgments

Researchers who have responsibly disclosed issues to Big Law Bear:

No reports yet. Be the first.

Thank you for taking the time to make Big Law Bear safer. The best security teams treat researchers as partners, and we try to live up to that standard. If our response ever falls short, contact the security team at security@biglawbear.com.