Contact: mailto:security@butterflysecurity.org
Contact: https://butterflysecurity.org/security
Expires: 2027-06-10T16:09:27Z
Preferred-Languages: en
Canonical: https://butterflysecurity.org/.well-known/security.txt
Policy: https://butterflysecurity.org/security

# Butterfly Security responsible disclosure
# We review good-faith security reports within 72 hours.
# Please include the affected asset, reproduction steps, observed impact,
# and any supporting evidence such as request IDs, screenshots, or logs.
# Public acknowledgments are available with researcher consent.

# In scope:
#  - butterflysecurity.org (marketing + product + API)
#  - app.butterflysecurity.org
#  - mcp.butterflysecurity.org
#  - The Butterfly Chrome extension (id: ofjkckkkepibacofllfegfmpdaiecgmp)

# Out of scope:
#  - Denial-of-service, DDoS, or volumetric testing
#  - Data destruction or privacy-invasive testing
#  - Social engineering of Butterfly staff
#  - Physical security testing
#  - Issues in third-party services; report those to the vendor directly