Vulnerability Disclosure Policy
Last Updated: June 3, 2026
Buun Group welcomes reports from security researchers who help keep GunSpec.io and its users safe. This policy explains how to report a security issue and what you can expect from us.
We ask that you give us a reasonable opportunity to fix an issue before disclosing it publicly.
1. Scope
This policy covers gunspec.io, api.gunspec.io, and the systems we operate to deliver the Services. Third-party services we rely on, such as our hosting and payment providers, have their own disclosure programs and are out of scope here.
2. How to Report
Email [email protected] with a clear description of the issue, the steps to reproduce it, the affected URL or endpoint, and any proof-of-concept that helps us understand the impact. Please report one issue per message where practical.
3. Researcher Guidelines
Please act in good faith: do not access, modify, or delete data that is not yours; do not degrade the Services for others; use only test accounts and test data; and do not run automated scanning that generates disruptive load. Give us a reasonable time to remediate before any public disclosure.
4. Safe Harbor
If you make a good-faith effort to follow this policy, we will treat your research as authorized, will not pursue legal action against you for it, and will work with you to understand and resolve the issue quickly. If legal action is initiated by a third party against you for activity that complied with this policy, we will make this authorization known.
5. Out of Scope
The following are generally out of scope: denial-of-service attacks, social engineering of our staff or users, physical attacks, spam or volumetric testing, and reports from automated tools without a demonstrated, exploitable impact.
6. Recognition
We do not currently operate a paid bug-bounty program, but we are grateful for responsible disclosure and are happy to acknowledge researchers who report valid issues, with their permission.