Vulnerability Disclosure Policy

Bailar, Inc., a Delaware corporation (successor by statutory conversion effective May 4, 2026 to Bailar LLC, a Florida limited liability company) (“Bailar,” “we,” “us,” or “our”) takes the security of its users and Studios seriously. We welcome reports from security researchers about potential vulnerabilities in the Bailar mobile application, the website at bailar.site, the Studio dashboard at bailar.site/manage, and our public API surfaces (collectively, the “in-scope assets”).

This Policy is the canonical resource referenced from our security.txt file under RFC 9116.

1. SAFE-HARBOR COMMITMENT

If you make a good-faith effort to comply with this Policy when reporting a vulnerability to us, Bailar will not pursue, support, or recommend a civil or criminal action against you arising from your security research. We consider activities conducted consistently with this Policy to be “authorized” conduct under applicable computer-misuse laws (including 18 U.S.C. § 1030, similar state laws, and the Florida Computer Crimes Act). To the extent your research touches the property or rights of a third party who is not under our control (for example, one of our subprocessors), our safe-harbor commitment does not bind that third party; you remain responsible for complying with the relevant law and the relevant third party’s own program.

If you are unsure whether a planned testing activity is consistent with this Policy, please contact us at legal@bailar.site before you proceed; we will work with you in good faith.

2. IN-SCOPE ASSETS

The following Bailar-controlled assets are in scope for testing under this Policy:

(a) the Bailar mobile application on iOS and Android, distributed through the Apple App Store and Google Play under the bundle identifier com.paulplawin.bailar;
(b) the public website at https://bailar.site and all sub-paths under it, including the Studio dashboard at https://bailar.site/manage and the Staff dashboard at https://bailar.site/staff;
(c) public REST and RPC endpoints exposed under https://bailar.site/api/ and the Supabase project endpoints linked to Bailar production data;
(d) the .well-known/security.txt endpoint and any other RFC 9116 metadata; and
(e) Bailar-controlled subdomains of bailar.site that are not explicitly out of scope under Section 3.

3. OUT-OF-SCOPE ASSETS AND ACTIVITY

The following are out of scope under this Policy. Testing them is not authorized and we cannot offer safe-harbor protection for it:

(a) Third-party infrastructure we do not operate — including Supabase’s console, Vercel’s console, Stripe’s dashboard, Cloudflare’s edge, Apple App Store servers, Google Play servers, Twilio, Resend, RevenueCat, Sentry, PostHog, and our other subprocessors; report to each vendor’s own program if you find an issue there;
(b) Denial-of-service (DoS) and distributed denial-of-service (DDoS) testing, large-scale fuzzing, automated brute-forcing against authentication endpoints, or any test that materially degrades availability for other users;
(c) Physical-security testing, social engineering of Bailar personnel, users, or Studio operators, phishing campaigns, or pretexting;
(d) Spam, defamatory, or unsolicited bulk traffic, and any test that uses the messaging or notification surfaces to send content to other users;
(e) Use of CSAM, sexualized imagery of minors, or any content prohibited by the Child Safety Standards;
(f) Findings that depend on exfiltrating other users’ data; demonstrate the issue with your own test account and the minimum data necessary to prove the finding;
(g) Reports based purely on public sources or scanners — for example, a missing security header on a low-impact endpoint, a weak TLS cipher already deprecated by the cloud provider, or an information disclosure about the build framework — without a concrete impact demonstration; and
(h) Findings on bailar-claude, the M1 sim-server Mac at the operator’s residence, or any other equipment not exposed on the public internet.

4. RULES OF ENGAGEMENT

4.1 Use your own test accounts. Do not attempt to access, view, or download data belonging to other users or Studios; if you incidentally access such data, stop immediately, do not share it, and inform us as part of your report.

4.2 Make a good-faith effort to avoid privacy violations, data destruction, service degradation, and interruption of business operations. Stop testing and notify us as soon as you have proven impact.

4.3 Do not modify, delete, encrypt, or exfiltrate data. Do not attempt to maintain access (do not install a backdoor, persistence, or implant).

4.4 Do not test against production Stripe accounts, KYC flows, or anything that could affect a Host’s payouts.

4.5 Do not publicly disclose the vulnerability until we have confirmed remediation, or until ninety (90) days have passed since your report, whichever comes first — unless we mutually agree to a different timeline.

5. HOW TO REPORT

Email legal@bailar.site with the subject line “Vulnerability report — [brief title]”. Encrypted email is welcome — request our PGP public key in your first email and we will reply with a fingerprint and key file.

Please include in your report:

(a) a clear description of the vulnerability and the impact on confidentiality, integrity, or availability of data;
(b) the affected URLs, endpoints, application screens, or platform versions, with the timestamp of testing;
(c) reproducible steps, including any payloads, request bodies, or screenshots needed;
(d) where applicable, your suggested remediation or mitigation;
(e) whether you have informed any third party of the issue; and
(f) how you would like to be credited if you wish to be credited publicly (a name, a handle, or anonymous).

6. RESPONSE SLA

We aim to:

(a) acknowledge receipt of your report within two (2) business days;
(b) provide a preliminary triage and either accept, ask follow-up questions, or close as out-of-scope within seven (7) business days;
(c) communicate a remediation plan and target timeline for accepted issues; and
(d) keep you informed at material milestones until the issue is resolved.

7. RECOGNITION AND BOUNTY

Bailar does not currently operate a paid bug-bounty program. For accepted reports we offer:

(a) public acknowledgment in a Hall of Fame on this page (with your consent and chosen name);
(b) a Bailar swag pack (where shipping is feasible); and
(c) credit in any associated changelog or post-mortem we publish.

We may, at our sole discretion, offer a discretionary monetary reward for exceptional reports. This Policy does not create any right to a reward.

8. CHANGES TO THIS POLICY

We may update this Policy from time to time. Reports made under a prior version remain governed by the version in effect on the date of the report.

HALL OF FAME

Researchers acknowledged for accepted reports are listed here as they accumulate. The list is currently empty — help us start it.

CONTACT

Bailar, Inc.
Attn: Security
401 Ocean Dr, Suite 404
Miami Beach, FL 33139
United States
legal@bailar.site