Please do not report security vulnerabilities through public GitHub issues.
If you discover a security vulnerability in BrainUs AI API, report it through our Vulnerability Disclosure Program (powered by HackerOne). The VDP form includes our full guidelines and preferred submission format.
Alternatively, you can email security@crew.brainus.lk with:
- A description of the vulnerability
- Steps to reproduce
- Potential impact
- Any suggested fixes (optional)
We will acknowledge your report within 48 hours and aim to resolve confirmed vulnerabilities within 14 days. We'll keep you updated throughout the process.
We ask that you:
- Give us reasonable time to fix the issue before public disclosure
- Avoid accessing or modifying data that isn't yours
- Do not perform denial-of-service attacks
We will not take legal action against researchers who follow these guidelines.
This policy covers the BrainUs AI API (api.brainus.lk) and the developer portal (developers.brainus.lk).
Out of scope: third-party services, social engineering, and physical attacks.