Security

Responsible Disclosure

We take security seriously and welcome reports from researchers. This page describes what is in scope, how to reach us, and what you can expect from us in return.

Scope

In scope

  • The production application at app.buildworkpro.com
  • The public REST API at app.buildworkpro.com/api/v1
  • The marketing site at buildworkpro.com
  • Webhook signing, signature verification, and replay protection
  • OAuth 2.1 authorization server and Dynamic Client Registration endpoints

Out of scope

  • Third-party services we depend on (Stripe, Cloudflare, Cloudflare R2, Doppler, Railway). Report those to the vendor directly.
  • Brute-forcing or load-testing rate-limited endpoints.
  • Social engineering, phishing, or any pretexting against BuildWorkPro employees, contractors, or customers.
  • Physical security of any office, data center, or employee workstation.
  • Findings that require already-compromised end-user devices, browser extensions, or stolen credentials.
  • Best-practice and informational findings without a demonstrated security impact (e.g., missing security headers without a working exploit).

How to report

Email security@buildworkpro.com. Include a clear description of the vulnerability, step-by-step reproduction, the affected URL or endpoint, and any supporting evidence (proof-of-concept, screenshots, request/response captures). The more we can reproduce on the first read, the faster we can act.

Acknowledgment

Within 5 business days

We confirm receipt and assign a tracking reference.

Initial assessment

Within 14 business days

We share severity, scope, and our preliminary remediation plan.

PGP Key

Coming soon. For now, please email unencrypted reports to security@buildworkpro.com. If your report contains highly sensitive material, contact us first and we will arrange an encrypted channel before you send details.

What we do

  • Acknowledge every legitimate report in writing.
  • Coordinate disclosure timing with you before publishing details.
  • Credit you on our security acknowledgments page if you would like.
  • Keep you updated as we triage, fix, and verify.

What we don't do (yet)

  • Pay a monetary bug bounty at launch. Acknowledgment and credit only.
  • Operate an automated triage platform. Reports go directly to a human on our security team.

Safe harbor

We will not pursue legal action against good-faith security researchers who follow this policy. To qualify for safe harbor:

  • Test only against accounts you own or where you have explicit written permission from the account owner.
  • Do not access, modify, or destroy data that does not belong to you.
  • Do not degrade service availability for other customers.
  • Stop and report as soon as you confirm the issue. Do not pivot, escalate, or persist further than necessary to demonstrate impact.
  • Give us reasonable time to remediate before any public disclosure.

If you are uncertain whether an action is in scope or in good faith, contact security@buildworkpro.com first — we would much rather answer a question than read about it later.

For an overview of our security posture, see the Security page.

Ready to run your sub business the right way?

Join specialty contractors who are winning more bids, getting paid faster, and growing their business with the platform built for subs.

Start free trial Sign in

14-day free trial. No credit card required.