Security reporting
We have established the following security reporting procedure to address security issues quickly.
If you have a security concern or believe you have found a vulnerability in any part of our infrastructure, please contact us at [email protected]. If you need to share sensitive information, we can provide you with a security contact number through Signal.
Our commitment to solving security issues#
- We will respond to your report within three business days with an evaluation and expected resolution date.
- We will handle your report with strict confidentiality and not share any personal details with third parties without your permission.
- We will keep you informed of the progress towards resolving the problem.
- After the report has been resolved, we will credit the finding to you in our public
security.txtdocument, unless you prefer to stay anonymous. - If we need to access proprietary information or personal data stored in BA to investigate or respond to a security report, we shall act in good faith and in compliance with applicable confidentiality, personal data protection, and other obligations.
We strive to resolve all problems quickly and publicize any discoveries after their resolution.
Bug bounty program with HackerOne#
BA offers a public bug bounty program. If you discover a vulnerability, report it through our bug bounty program.
How to disclose vulnerabilities#
BA pays close attention to the proper security of its information and communication systems. Despite these efforts, it is not possible to entirely exclude the existence of security vulnerabilities.
If you identify a security vulnerability, please proceed as follows under the principle of responsible disclosure:
- Report the security vulnerability to BA by contacting us at [email protected]. Provide as much information about the security vulnerability as possible.
- Do not exploit the security vulnerability; for example, by using it to breach data, change the data of third parties, or deliberately disrupt the availability of the service.
- All activities relating to the discovery of the security vulnerability should be performed within the framework of the law.
- Do not inform any third parties about the security vulnerability. All communication regarding the security vulnerability will be coordinated by BA and our partners.
- If the above conditions are respected, BA will not take any legal steps against the party that reported the security vulnerability.
- In the event of a non-anonymous report, BA will inform the party that submitted the report of the steps it intends to take and the progress toward closing the security vulnerability.
Responsible Disclosure
We appreciate security researchers who follow responsible disclosure practices. Valid reports may be eligible for recognition in our security acknowledgments and potential rewards through our HackerOne bug bounty program.
Frequently Asked Questions#
What qualifies for the bug bounty program? Vulnerabilities that impact the confidentiality, integrity, or availability of customer data or our infrastructure. This includes authentication bypasses, SQL injection, privilege escalation, and data exposure issues.
What is out of scope? Social engineering, physical attacks, denial of service, and issues in third-party services. See our HackerOne program page for the complete scope definition.
How long until I receive a response? We aim to acknowledge reports within 3 business days and provide an initial assessment within 10 business days. Complex issues may require additional time for investigation.
Can I publicly disclose a vulnerability I reported? Please coordinate with our security team before any public disclosure. We typically request a 90-day window to address vulnerabilities before public disclosure.
Related Resources#
- Access Control — Managing permissions and access
- Secrets Management — Secure credential storage