Security is a first-class concern at BrandJet AI. This page covers how we secure customer data, how to report a vulnerability, and what the bug bounty rewards.
How we secure your data
All data in transit is encrypted with TLS 1.2+.
Data at rest is encrypted with AES-256 in our managed PostgreSQL.
OAuth tokens and SMTP passwords are encrypted at the column level with rotation keys held in a separate KMS.
Production access is limited to a small on-call team, with audit logs on every read and write.
We run continuous dependency scanning and quarterly third-party penetration tests.
Compliance
SOC 2 Type II audit in progress; report available under NDA when complete.
GDPR-compliant data processing, with sub-processor list at Settings → Privacy.
Data processing agreement available for Pro plans and above.
Reporting a vulnerability
If you have found a security issue, we want to know. Email security@brandjet.ai with:
A clear description of the issue.
Steps to reproduce, including any URLs, payloads, or scripts.
The impact you believe the issue has.
Your contact details and (optionally) GitHub handle for credit.
We acknowledge every report within 1 business day. Critical issues are triaged the same day.
Responsible disclosure policy
We treat security researchers as partners. If you follow these rules, we will not take legal action and will work with you in good faith:
Do not access or modify other customers data.
Do not perform denial-of-service or volumetric tests.
Do not run automated scanners against production for more than a few minutes at a time.
Give us 90 days to remediate before public disclosure (we will usually be faster).
Test on accounts you own. Create dedicated test workspaces rather than touching real data.
Bug bounty
Yes, we run a bug bounty program. Rewards are based on severity and impact:
Critical (RCE, account takeover, mass data exfiltration): up to $5,000
High (auth bypass, privilege escalation, sensitive PII leak): up to $1,500
Medium (CSRF, stored XSS, IDOR with limited impact): up to $500
Low (reflected XSS, info disclosure, missing best-practice headers): swag or up to $100
Final reward amount is at our discretion based on severity, exploitability, and report quality. First valid report wins; duplicates are not rewarded.
What is out of scope
Social engineering of staff or customers.
Physical attacks against our offices or staff.
Reports based purely on missing best-practice headers without a demonstrable exploit.
Vulnerabilities in third-party services we do not control (please report those to the vendor).
Self-XSS without a clear attacker pathway.
Hall of fame
We publish a hall of fame at brandjet.ai/security/hall-of-fame recognising researchers who have helped us improve. With your consent, we will include your name or handle.