Responsible Disclosure

We welcome security research on the HeartBadge protocol and the hosted HeartBadge surface. If you've found a vulnerability, please disclose it responsibly. We will work with you in good faith and will not take legal action against researchers who follow this policy.

Scope

In scope: the HeartBadge protocol code, hosted APIs at *.heartbadge.com, the operator console, the member wallet app, and the TypeScript SDK. Out of scope: programs running on HeartBadge (report to them directly), third-party vendors, and social-engineering of HeartChain Labs employees.

How to report

Email security@heartbadge.com with:

• A clear description of the vulnerability
• Steps to reproduce
• The impact you believe it has
• Any proof-of-concept code (optional)

What to expect

• We acknowledge receipt within two business days.
• We work with you on reproduction and severity assessment.
• We patch and deploy. Timelines depend on severity.
• We coordinate public disclosure once a fix is in place. Typical embargo is 90 days from report, negotiable for actively exploited issues.
• We publicly credit researchers who request credit.

What we ask

• Give us reasonable time to fix before publicly disclosing.
• Don't access, modify, or destroy data that isn't yours during testing.
• Don't perform testing that would degrade service for other users (DoS, resource exhaustion, social engineering).

Bounty

We run a private bug bounty for qualifying reports. Severity and payout ranges are shared with active researchers after the first in-scope report.