BusyBuddy logoBusyBuddy

Security & Vulnerability Disclosure

Last updated: May 29, 2026

1. Our commitment

BusyBuddy takes the security of our platform and our customers' data seriously. We welcome reports from independent security researchers, customers, and the broader community. If you believe you've found a security vulnerability in any BusyBuddy product, service, or infrastructure, we want to hear from you.

2. How to report a vulnerability

Please email security@busybuddycrm.com with:

  • A clear description of the issue and its potential impact
  • Step-by-step instructions to reproduce
  • Any proof-of-concept code, screenshots, or HTTP requests that help us verify
  • The URL, endpoint, or component affected
  • Your name or handle (optional) for credit, and how you'd like to be contacted

You may PGP-encrypt sensitive reports — request our key by email and we will share it directly.

3. What to expect from us

  • Acknowledgement: within 3 business days of receipt.
  • Triage and initial assessment: within 7 business days.
  • Status updates: at least every 14 days while the issue is being investigated or remediated.
  • Remediation targets: critical and high-severity issues are prioritized and patched as quickly as practical; medium and low-severity issues are scheduled into our normal release cycle.
  • Credit: with your permission we will publicly acknowledge your contribution after the issue is resolved.

4. Scope

In scope:

  • busybuddycrm.com and *.busybuddycrm.com
  • The BusyBuddy web application and all first-party APIs
  • Authentication, session, and authorization flows
  • Data handling, RLS bypass, and tenant-isolation issues
  • Integrations we operate (Google, Meta, Square, PayPal, Stripe, etc.) as configured by BusyBuddy

Out of scope:

  • Third-party services we integrate with — report those directly to the third party
  • Denial-of-service, volumetric, or stress-testing attacks
  • Social engineering of BusyBuddy staff, customers, or vendors
  • Physical attacks against our offices or staff
  • Reports based solely on missing security headers, SPF/DKIM/DMARC nits, banner version disclosure, or CSV-injection in export files with no demonstrable impact
  • Self-XSS, clickjacking on unauthenticated pages with no sensitive action, or rate-limit gaps with no impact
  • Findings from automated scanners without a working proof-of-concept

5. Safe harbor

We will not pursue civil action or initiate a complaint to law enforcement for accidental, good-faith violations of this policy. We consider activity conducted in compliance with this policy to be authorized conduct under the Computer Fraud and Abuse Act, DMCA anti-circumvention provisions, and analogous laws. We waive any restriction in our Terms of Service that would interfere with security research conducted under this policy, for that research only.

To stay within safe harbor, please:

  • Use only test accounts you own, or accounts you have explicit permission to test. Do not access, modify, or exfiltrate data belonging to other customers.
  • Stop testing and notify us immediately if you encounter customer data.
  • Do not perform actions that degrade availability or quality of service for other users.
  • Give us a reasonable opportunity to remediate before publicly disclosing.
  • Comply with all applicable laws.

If legal action is initiated against you by a third party for activity conducted in compliance with this policy, we will make our authorization known.

6. Disclosure

We follow a coordinated disclosure model. Please give us a reasonable remediation window — typically 90 days from initial report, or sooner if the issue is already being exploited. We're happy to coordinate a public write-up after the fix is shipped.

7. Bug bounty

BusyBuddy does not currently operate a paid bug bounty program. We're grateful for responsible reports and will provide public acknowledgement (with your permission) for valid findings.

8. Security program highlights

  • Encrypted in transit (TLS 1.2+) and at rest for data and credentials.
  • OAuth access and refresh tokens for third-party integrations are encrypted at rest with AES-256-GCM.
  • Row-level security on all tenant data tables; service-role access is restricted to server code paths.
  • Mandatory two-factor authentication for organization admins inside the BusyBuddy app.
  • Documented secret rotation policy for all production credentials.
  • Webhook signatures verified for every external payments/CRM webhook (Square, PayPal, Meta, Google).
  • Stored XSS protection via DOMPurify on all user-generated HTML (contracts, templates).

9. Machine-readable policy

A machine-readable version of this policy is published at /.well-known/security.txt per RFC 9116.

10. Contact

BUSYBUDDY, LLC

PO Box 681103

Franklin, TN 37068

Security reports: security@busybuddycrm.com

Privacy: privacy@busybuddycrm.com