Security
Security & Responsible Disclosure
How to report security vulnerabilities to BuildBase.
Reporting a vulnerability
If you discover a security vulnerability in BuildBase, report it to:
Include as much detail as possible: steps to reproduce, affected endpoints or components, and any proof-of-concept code. The more detail you provide, the faster the issue can be resolved.
What to expect
- Acknowledgment within 2 business days
- An initial assessment within 5 business days
- Regular updates until the issue is resolved
- Credit in our release notes (if you want it) once the fix is deployed
Scope
The following are in scope for responsible disclosure:
- https://www.buildbase.app (marketing website)
- https://console.buildbase.app (application console)
- https://docs.buildbase.app (documentation)
- https://api.console.buildbase.app (API)
- The @buildbase/sdk npm package
The following are out of scope:
- Denial of service (DoS/DDoS) attacks
- Social engineering or phishing of BuildBase staff
- Physical attacks against offices or data centers
- Third-party services (Stripe, Mailgun, Google Cloud, etc.)
- Vulnerabilities in outdated browsers or plugins
- Automated scanning without prior coordination
Guidelines
To qualify for responsible disclosure:
- Do not access, modify, or delete data belonging to other users
- Do not degrade the service or disrupt other users
- Do not publicly disclose the vulnerability before it is fixed
- Act in good faith to avoid privacy violations and data destruction
- Use test accounts you create yourself, not accounts belonging to others
Platform security practices
BuildBase implements the following security measures:
- Encryption at rest and in transit (TLS 1.2+)
- Multi-tenant data isolation with organization-level access controls
- Role-based access control (RBAC) per workspace
- API authentication via signed tokens with scoped permissions
- Webhook payload signing (HMAC-SHA256) for delivery verification
- Credential encryption for all stored API keys and secrets
- Rate limiting on all API endpoints
- Session management with automatic expiration (30-day TTL)
- Bot protection via Cloudflare Turnstile on public forms
- Payment data handled entirely by Stripe (PCI-DSS compliant, no card data stored)
Contact
For security reports or questions:
Email: [email protected]
security.txt: /.well-known/security.txt