Security

Security & Responsible Disclosure

How to report security vulnerabilities to BuildBase.

Reporting a vulnerability

If you discover a security vulnerability in BuildBase, report it to:

[email protected]

Include as much detail as possible: steps to reproduce, affected endpoints or components, and any proof-of-concept code. The more detail you provide, the faster the issue can be resolved.

What to expect

  • Acknowledgment within 2 business days
  • An initial assessment within 5 business days
  • Regular updates until the issue is resolved
  • Credit in our release notes (if you want it) once the fix is deployed

Scope

The following are in scope for responsible disclosure:

  • https://www.buildbase.app (marketing website)
  • https://console.buildbase.app (application console)
  • https://docs.buildbase.app (documentation)
  • https://api.console.buildbase.app (API)
  • The @buildbase/sdk npm package

The following are out of scope:

  • Denial of service (DoS/DDoS) attacks
  • Social engineering or phishing of BuildBase staff
  • Physical attacks against offices or data centers
  • Third-party services (Stripe, Mailgun, Google Cloud, etc.)
  • Vulnerabilities in outdated browsers or plugins
  • Automated scanning without prior coordination

Guidelines

To qualify for responsible disclosure:

  • Do not access, modify, or delete data belonging to other users
  • Do not degrade the service or disrupt other users
  • Do not publicly disclose the vulnerability before it is fixed
  • Act in good faith to avoid privacy violations and data destruction
  • Use test accounts you create yourself, not accounts belonging to others

Platform security practices

BuildBase implements the following security measures:

  • Encryption at rest and in transit (TLS 1.2+)
  • Multi-tenant data isolation with organization-level access controls
  • Role-based access control (RBAC) per workspace
  • API authentication via signed tokens with scoped permissions
  • Webhook payload signing (HMAC-SHA256) for delivery verification
  • Credential encryption for all stored API keys and secrets
  • Rate limiting on all API endpoints
  • Session management with automatic expiration (30-day TTL)
  • Bot protection via Cloudflare Turnstile on public forms
  • Payment data handled entirely by Stripe (PCI-DSS compliant, no card data stored)

Contact

For security reports or questions: