BES does not operate a bug bounty program.
Beg bounties will not be accepted either.
By all means, if you find an actual security vulnerability then contact us and tell us what it is. If you find something awesome then we'd love to send you some stickers. But if you've just run some automated tooling, found something trivial then reached out with the expectation of cashing in, you're going to be disappointed.
For Tamanu, use its github security vulnerability disclosure page.
For all other reports, or if you're not sure, email [email protected].
You may also wish to consult our security.txt file.
BES runs a number of test sites. These are out of scope for data breaches and credential compromise.
BES is frequently found when researching systems that we interact with but do not develop. You may be looking for:
- (2025-02-10) Omri — A DNS configuration issue