Security
Vulnerability disclosure policy
civic.bd handles citizen complaint data and we welcome responsible disclosure of vulnerabilities.
Safe harbor
If you make a good-faith effort to comply with this policy during your research, we will not pursue legal action.
Scope
- civic.bd and *.civic.bd domains
- Authenticated and unauthenticated surfaces
- Excludes: third-party dependencies, agency systems we route to
How to report
Email security@civic.bd with a clear reproduction. We aim to acknowledge within 72 hours.
Please do not access citizen data beyond the minimum required to demonstrate the vulnerability, and never publicly disclose before we have remediated.