Vulnerability Disclosure Policy

Effective date: March 12, 2026

We take security seriously. This policy explains how to responsibly report security vulnerabilities in https://www.bearpackonlineservices.com and related systems operated by Bearpack Sound Lab (Tristan Salisbury).

1) Scope

This policy covers:

• The main website at bearpackonlineservices.com
• The AI chat API endpoint (/api/chat)
• Any other APIs or web services we operate directly

Third-party platforms (YouTube, Spotify, X/Twitter, Facebook, Vercel, OpenAI) are out of scope — please report vulnerabilities in those services to their respective security teams.

2) How to report

Send vulnerability reports to:

• Email: Arcticasters@gmail.com
• Subject line: "Security Vulnerability Report"

Include:

• A clear description of the issue and impact
• Steps to reproduce (proof-of-concept if possible)
• Affected URLs/endpoints/components
• Any relevant screenshots/logs

3) Testing guidelines

Do not:

• Access or modify data that does not belong to you
• Perform denial-of-service attacks
• Publicly disclose the issue before we have a reasonable opportunity to investigate and remediate
• Use automated scanning that materially disrupts services

4) Our response commitment

• Acknowledgement: Within 3 business days of receipt
• Investigation: We will validate and assess the report
• Updates: Progress updates within 7–14 days depending on severity
• Remediation: Critical issues are prioritised accordingly
• No bug bounty: We do not offer a paid bounty programme at this time, but we appreciate responsible disclosure

5) Safe harbour

If you follow this policy and act in good faith, we will not pursue legal action against you for your report.