# Vulnerability Disclosure Policy

At byus&co., the security of our systems and data is a top priority. We are grat
eful to the security community for their efforts in identifying vulnerabilities 
and helping us maintain a safe environment for our users.

## Reporting Security Vulnerabilities

If you discover a security vulnerability in our services, we encourage you to no
tify us as soon as possible. Please contact us at security@casican.me with the f
ollowing details:

- A description of the vulnerability and its potential impact.
- Detailed steps to reproduce the issue (proof of concept code, screenshots, or 
videos are helpful).
- Any additional information that might help us resolve the issue.

We commit to acknowledging your report within 5 business days and will strive to
 keep you informed throughout our investigation.

## Access to Testing Environment

We understand that some vulnerability testing may require actions that could be 
disruptive or potentially destructive to our production environment. If, during 
your research, you determine that such testing is necessary, please reach out to
 us.

- Requesting Access: Contact us at security@casican.me to request access to our 
testing environment. This environment closely mirrors our production setup and i
s designed for safe testing.
- Eligibility: Access will be provided at our discretion, typically after you ha
ve conducted initial investigation and demonstrated a need for such an environme
nt.
- Usage Guidelines: The testing environment is provided solely for security rese
arch purposes. Use of this environment must comply with our guidelines and any a
dditional terms provided upon access.

We are committed to working collaboratively with you to facilitate your research
 while ensuring the integrity and availability of our services.

## Our Commitment to You

- We will work diligently to investigate and resolve valid security issues.
- We will keep you updated on the status of reported vulnerabilities.
- We will credit you for your discovery if you wish (unless you prefer to remain
 anonymous).

## Guidelines for Responsible Disclosure

To ensure the safety of our users and systems, we kindly request that you:

- Avoid actions that could harm our services or users (such as accessing, modify
ing, or destroying data).
- Refrain from disclosing the vulnerability publicly before we have had a reason
able time to address it.
- Do not engage in testing that could lead to denial-of-service (DoS) conditions
 or degradation of our services.
- If potentially destructive testing is needed, contact us to request access to 
a safe testing environment.

## Recognition and Appreciation

We value the contributions of security researchers and aim to show our appreciat
ion. As a small venture company with limited resources, we may offer a modest re
ward for significant and impactful findings. The reward amount is at our discret
ion and depends on the severity of the issue and our current capabilities.

Please note:

- Not all reports may qualify for a monetary reward.
- Alternative forms of recognition (such as a public acknowledgment) are also av
ailable if preferred.

## Legal Safe Harbor

We will not initiate legal action against researchers who:

- Engage in testing within the scope of this policy.
- Make a good faith effort to avoid privacy violations, destruction of data, and
 interruption or degradation of our services.
- Report the vulnerability to us promptly and do not disclose it to others until
 we have addressed it.

---

Thank you for helping us protect our users and improve our services. Your effort
s are greatly appreciated.