Vulnerability Disclosure Policy

The protection of our customers' security and data is a priority for Real Bagrain LLC. We value the contributions of the security research community and encourage reporting of vulnerabilities found in our services.

✅ What is subject to testing

Our program only covers resources related to the domain avrora.ua and all subdomains.

We consider the following types of vulnerabilities:

• Unauthorized access (IDOR, authentication bypass, etc.)
• RCE, SQLi, SSRF, XXE, XSS
• Sensitive data leaks
• Session attacks (e.g., session fixation)
• Other critical threats that impact security

❌ We do not consider

• Self-XSS, clickjacking without impact
• Absence of security headers
• Entries in robots.txt, debug logs without confidential information
• Social engineering, DoS, DDoS, phishing
• Testing of third-party services and partner integrations

🚫 Forbidden testing methods

For the safety of our systems and users, the following are strictly prohibited:

• Testing resources outside avrora.ua (including suppliers or third-party integrations)
• Social engineering: phishing, vishing, spam, manipulation of personnel
• DoS/DDoS: any attacks or tests that may cause denial of service
• Testing resource-intensive scenarios that create a heavy load
• Using exploits to steal data or access the shell
• Running malicious software, Trojans, viruses, or worms
• Brute-force, rainbow tables, and password cracking
• Altering, deleting, or destroying company data
• Any actions that affect the availability of services or data

📤 How to inform us about a vulnerability

Please send reports to [email protected]
(We recommend using PGP to encrypt your emails)

In your report, please include:

• Description of the vulnerability, type, impact
• Steps to reproduce
• Evidence (screenshots, requests)
• Technical details (environment, version)
• Your name or pseudonym (Optional)

Reports that do not contain sufficient data for verification may be rejected or processed with a delay.

⏱ Processing

We will acknowledge receipt of your report within 10 days and inform you of its status. Once the issue has been fixed, we will notify you of its completion. If you plan to disclose the issue publicly, please inform us in advance.

🤝 Guarantees

We will not take law enforcement action against those who investigate in good faith and act in accordance with this policy.