• Personal
  • Business
  • How it works
  • Compatible devices
  • eSIMs
  • How it works
  • Compatible devices
  • Blog
  • Login
Vulnerability Disclosure Policy

Vulnerability Disclosure Policy

Version: 1.0
Effective date: 10 September 2025

Summary (TL;DR)

If you believe you’ve found a security issue in a BambooSIM system, please tell us—responsibly and privately. We’ll acknowledge your report, investigate, and fix validated issues. Acting in good faith within this policy earns you safe-harbor protections and, where applicable, public recognition in our Hall of Fame.

Purpose

Security is core to BambooSIM’s mission. This policy sets out how security researchers (“you”) can report potential vulnerabilities to us and what you can expect in return.

Scope

In scope (owned/operated by BambooSIM):

  • Public web properties: *.bamboosim.com and bamboosim.com
  • Mobile apps: BambooSIM Android and iOS apps: com.bamboosim.mobile
  • APIs and backend services associated with BambooSIM products
  • Customer and partner portals hosted by BambooSIM
  • eSIM lifecycle & provisioning services operated by BambooSIM

Out of scope (please do not test):

  • Third-party platforms or vendors not controlled by BambooSIM (e.g., payment processors, CDNs, app store listings)
  • Marketing microsites or sandbox environments not handling production data
  • Any service explicitly listed as “Out of Scope” on this page from time to time

If you’re unsure whether a target is in scope, report first—do not continue testing.

Reporting

Email: [email protected]
PGP:

fingerprint: 7D22 86FA C7E6 B7D8 880F CB6C 5ACF 720D 9B9D 978A

-----BEGIN PGP PUBLIC KEY BLOCK-----
mDMEaK2FLhYJKwYBBAHaRw8BAQdAHjRb67ViGKuaIhCRu2o8TLaBgXDZDii0NMlm
nuSbomi0K0JhbWJvb1NJTSBTZWN1cml0eSA8c2VjdXJpdHlAYmFtYm9vc2ltLmNv
bT6ImQQTFgoAQRYhBH0ihvrH5rfYiA/LbFrPcg2bnZeKBQJorYUuAhsDBQkB4TOA
BQsJCAcCAiICBhUKCQgLAgQWAgMBAh4HAheAAAoJEFrPcg2bnZeKygYBAIB2SLV/
rjqn98H3sfA4RvE4G2L1+mknPWclYXmuhy+kAP9atgceyQF1iGUpZ/iLTpGFLiiM
/IK+ENNut4kJRL2vArg4BGithS4SCisGAQQBl1UBBQEBB0AhhbE3MOsGipMt1a6a
qoHzM5YTc0h9NNxXTZ/g9YHIMgMBCAeIfgQYFgoAJhYhBH0ihvrH5rfYiA/LbFrP
cg2bnZeKBQJorYUuAhsMBQkB4TOAAAoJEFrPcg2bnZeKJ3kA/3n4Ii8NF4YZ56P5
w0u15MbhRvbZ4M3yZr//vq1b9xE/AP9Q8yhalMyA5NrB7pgUde3sPG42coQjcXtY
ZhnesVDtAw==
=5Ps/
-----END PGP PUBLIC KEY BLOCK-----

Subject line: VDP: <brief issue description>

Please include:

  • A clear description of the issue and impact
  • Step-by-step reproduction instructions (POC code, payloads, or screenshots)
  • The affected host/app/API route and any account IDs used in testing
  • Your suggested remediation (if any)
  • Contact details for follow-up

Data handling: If you accidentally access user data, stop immediately, do not store it, and include a minimal description in your report so we can help with remediation and notification if required.

Our Commitment to You

When you report a vulnerability consistent with this policy, we will:

  1. Acknowledge receipt within 3 business days (AEST/AEDT).
  2. Triage and keep you updated at meaningful stages (triaged, validated, fix in progress, fixed).
  3. Remediate according to our severity targets (below).
  4. Credit you in our Hall of Fame (with your consent) after remediation.
  5. Provide safe-harbor protections (see Legal Safe Harbor).

Rules of Engagement

Allowed

  • Testing only against your own accounts or test data you control
  • Non-destructive testing of in-scope assets
  • Good-faith efforts to avoid privacy violations and service degradation

Not allowed

  • Denial of Service (DoS/DDoS), volumetric or resource-exhaustion attacks
  • Ransomware, backdoors, or maintaining persistent access
  • Social engineering (including phishing) of BambooSIM staff, customers, or partners
  • Physical security attacks or attempts to access offices/equipment
  • Spam, credential stuffing, or brute force beyond limited, targeted testing
  • Interacting with or exfiltrating real customer data (stop if encountered)

If you need to demonstrate impact, use the minimum necessary. Proofs of read-only access are sufficient—no data modification or deletion.

What We Consider Security Issues (Examples)

Typically in scope

  • Authentication/authorisation flaws (IDOR/BOLA, privilege escalation)
  • Injection vulnerabilities (SQLi, command, template, LDAP)
  • Cross-site scripting (stored/reflected), CSRF with meaningful impact
  • Business logic flaws affecting billing, provisioning, or eSIM lifecycle
  • SSRF, RCE, insecure deserialization
  • Sensitive data exposure, improper crypto or key management
  • Misconfigured cloud resources exposing sensitive data

Typically out of scope

  • Clickjacking with no sensitive action
  • Username/email enumeration without additional risk
  • Missing security headers without demonstrable impact
  • Use of outdated libraries without a proven exploit path
  • SPF/DMARC/DKIM misconfig alone
  • Rate-limit suggestions without a viable abuse scenario

Severity & Remediation Targets

We use CVSS v4.0 as a guideline plus contextual business impact:

  • Critical Unauthenticated RCE; auth bypass to high-value data; full account takeover: Mitigate within 7 days, fix within 14 days
  • High Privilege escalation; SSRF with data access; IDOR to sensitive records: Mitigate within 14 days, fix within 30 days
  • Medium Stored XSS; sensitive info leak requiring user interaction: Fix within 90 days
  • Low Best-practice gaps with limited impact: Fix within 180 days

Targets are goals, not guarantees. We may accelerate timelines for active exploitation.

Disclosure Timing

  • We request coordinated disclosure: please do not publicly disclose details until we confirm a fix or 90 days have elapsed since acknowledgment—whichever comes first.
  • If active exploitation is observed, we may request a shorter embargo to protect users; we’ll coordinate with you.

Recognition & Rewards

This is a VDP (non-bounty) program. While we do not offer monetary rewards by default, we may offer:

  • Public acknowledgment in our Hall of Fame
  • Swag or a thank-you note at our discretion

Duplicates: If multiple reports cover the same root issue, recognition goes to the first clear, actionable report.

Third-Party & Shared Responsibility

  • If the issue lies with a third-party vendor, we’ll coordinate with them and keep you informed where possible.
  • For issues impacting multiple customers or partners, we may prioritize broad mitigations before full fixes.

Legal Safe Harbor

We will not initiate legal action or law-enforcement referral for good-faith research that:

  • Adheres to this policy, and
  • Is limited to in-scope systems, and
  • Avoids privacy violations, service degradation, persistence, and data exfiltration

This includes protection under relevant anti-circumvention and anti-hacking laws (e.g., DMCA §1201 and local computer-misuse laws) to the fullest extent we can provide. If a third party initiates legal action and you’ve complied with this policy, we will make it clear that your actions were authorised research.

Important: This policy does not provide authorisation to access data you do not own. If in doubt, stop and report.

Privacy & Data

  • Do not intentionally access, store, transmit, or share BambooSIM customer data.
  • If you unintentionally access data: stop testing, minimize exposure, and report immediately.
  • Delete any copies after we confirm receipt of your report.

How We Communicate

  • Status updates at major stages (triage, validation, fix ETA, release).
  • If you prefer encrypted communications, use our PGP key.
  • All times/dates referenced are Australia/Melbourne time (AEST/AEDT).

Responsible Disclosure Hall of Fame

We maintain a public page thanking researchers who help secure BambooSIM. To be listed, provide the preferred name/handle and link (optional) in your report.

Changes to This Policy

We may update this policy from time to time. Material changes will be dated and posted here.

Contact

  • Security team: [email protected]
  • Emergency (active exploitation): Use the same email with subject prefix URGENT and include a phone/Signal contact for quick coordination.
ProductsCompatible DevicesBusinessHelp

Stay up to date

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

BambooSIM Pty. Ltd. © 2026 ABN 29 682 015 489

BambooSIM Pty. Ltd. © 2026 | ABN 29 682 015 489

  • Visa
  • MasterCard
  • PayPal
  • American Express
  • Venmo
TermsAUPPrivacy