Security

Vulnerability disclosure policy

civic.bd handles citizen complaint data and we welcome responsible disclosure of vulnerabilities.

Safe harbor

If you make a good-faith effort to comply with this policy during your research, we will not pursue legal action.

Scope

  • civic.bd and *.civic.bd domains
  • Authenticated and unauthenticated surfaces
  • Excludes: third-party dependencies, agency systems we route to

How to report

Email security@civic.bd with a clear reproduction. We aim to acknowledge within 72 hours.

Please do not access citizen data beyond the minimum required to demonstrate the vulnerability, and never publicly disclose before we have remediated.