"BastionID Global considers the security of our systems a top priority. However, unauthorized testing or intrusion attempts outside this scope will be treated as hostile acts and met with immediate legal prosecution."
We endorse a policy of Coordinated Vulnerability Disclosure (CVD). If you conduct security research in good faith and in compliance with this policy, BastionID Global will consider your actions authorized. We will not pursue civil or criminal action against you, and we will advocate on your behalf should third parties attempt legal action.
HOWEVER: This Safe Harbor does not apply to research that involves:
• Accessing, modifying, or deleting client data (Zero-Tolerance).
• Denial of Service (DoS/DDoS) attacks.
• Social Engineering (Phishing) of BastionID employees.
!!! STRICTLY OUT OF SCOPE: Third-party hosting providers (AWS, Cloudflare) and personal devices of employees.
Vulnerabilities must be reported securely via our PGP-encrypted channel. Do not disclose findings publicly until 90 days after the initial report or until a fix is deployed.
BastionID Global reserves the right to modify this policy at any time.
Last Updated: Jan 18, 2026.