Security

Responsible Disclosure

Responsible Disclosure


Overview

Brex values the trust our customers place in us. Protecting customer information through the security and integrity of our systems, infrastructure, applications, and data is our priority. If you believe you have discovered a vulnerability in our systems or applications, we request that you disclose it to us in a responsible manner using the form below. All reports will be subject to the disclosure policy below.


By submitting the form, you acknowledge you have read, understand, and agree to abide by the guidelines described in the disclosure policy. Brex will not take legal action against researchers who discover and report vulnerabilities in good faith and that adhere to this disclosure policy, and will work with you to understand and validate the suspected vulnerability.


Disclosure Policy

  • You may not disclose of a vulnerability, finding, or information you discover or have access to as a result of a vulnerability without the written consent from Brex. Further, you will not publicize anything that harms Brex’s reputation or jeopardizes the integrity of Brex’s systems, infrastructure, applications, or data.
  • You may not access, download, copy, or store information accessible due to a vulnerability. If you happen to find any information as a result of a vulnerability, you will report the issue to us immediately and not make any further attempts to exploit the vulnerability.
  • You may not initiate or participate in any denial of service attacks or any attacks that may degrade the performance of our website or services.
  • You must comply with applicable international, national, state, and local laws and applicable agreements with Brex or others.
  • You may not tamper with, modify, or attempt to modify or destroy any information resulting from a vulnerability.
  • You may not upload, submit, store, post, or send malicious data or software as part of identifying or testing a vulnerability.
  • You may not use knowledge of a vulnerability to extort Brex or others, or make compensation or ransom requests.
  • You may not engage in any activity that results in sending spam emails, messages, phishing, or any unsolicited communications.

    Brex has partnered with Bugcrowd for administering this form. You may receive communication and responses regarding any submitted vulnerabilities from Bugcrowd.