Skip to main content

Still scrolling? Get on the list.

We’ll only email when there’s a launch date, beta invite, or pricing decision worth your time.

Add me to the list

Get in touch

Questions about the product, pilot access, or anything else? hello@thebusinessguard.com — we read every email.

© 2026 BusinessGuard, a Silvey & Co. Operations company.

TermsPrivacyCookiesAcceptable UseAccessibility
  1. Waitlist
  2. Vulnerability Disclosure Policy

Security

Vulnerability Disclosure Policy

BusinessGuard welcomes responsible security research. This policy describes how researchers may report potential vulnerabilities, the protections we extend to good-faith reporters, and our commitment to timely remediation.

Waitlist-Stage Notice

BusinessGuard is currently operating in pre-launch waitlist mode. The Service is not yet generally available. During the waitlist period, the only Personal Information collected from waitlist registrants is the business email address and business name, which are used solely to deliver pre-launch communications. References in these policies to features such as report submission, moderation workflows, audit trails, and cookie preference interfaces describe the Service as it will operate upon general availability launch and do not represent features that are currently active.

On this page

  1. Introduction and Commitment
  2. Scope
  3. Reporting a Vulnerability
  4. Safe Harbor
  5. Response Timeline
  6. Recognition
  7. Out-of-Scope Activities
  8. Contact
  9. Responsible Disclosure
On this page
  1. Introduction and Commitment
  2. Scope
  3. Reporting a Vulnerability
  4. Safe Harbor
  5. Response Timeline
  6. Recognition
  7. Out-of-Scope Activities
  8. Contact
  9. Responsible Disclosure

On this page

  1. Introduction and Commitment
  2. Scope
  3. Reporting a Vulnerability
  4. Safe Harbor
  5. Response Timeline
  6. Recognition
  7. Out-of-Scope Activities
  8. Contact
  9. Responsible Disclosure

Introduction and Commitment

Silvey & Co., operating as BusinessGuard (the "Company"), is committed to the security of its platform, infrastructure, and User data. We recognize that independent security researchers play a valuable role in helping us identify and address potential vulnerabilities before they can be exploited.

This Vulnerability Disclosure Policy ("VDP") describes how security researchers may report potential vulnerabilities in the BusinessGuard platform in a responsible and coordinated manner, and sets forth the Company's commitments regarding the handling and resolution of reported issues.

By submitting a vulnerability report to the Company, you acknowledge that you have read, understood, and agree to comply with the terms and conditions of this VDP.

Scope

In-Scope Assets: The following assets are within the scope of this VDP and eligible for vulnerability reporting: the BusinessGuard web application at thebusinessguard.com (including all subdomains), all API endpoints served by the BusinessGuard platform, and the authentication and session management infrastructure operated by the Company.

The Company is particularly interested in reports concerning, including without limitation: authentication and authorization bypasses, injection vulnerabilities (SQL injection, cross-site scripting, command injection), server-side request forgery (SSRF), insecure direct object references (IDOR), cryptographic implementation weaknesses, sensitive data exposure, and access control failures.

Out-of-Scope: The following are expressly excluded from the scope of this VDP: third-party services, platforms, or infrastructure not directly operated by the Company (including, without limitation, Supabase, Stripe, Upstash, and Vercel); physical security testing of any facilities or premises; social engineering attacks against Company employees, contractors, or Users; denial-of-service (DoS) or distributed denial-of-service (DDoS) attacks; automated scanning or testing that degrades service availability or performance; and spam, phishing, or other forms of unsolicited communications.

Reporting a Vulnerability

All vulnerability reports shall be submitted via encrypted email to: security@thebusinessguard.com. If you require the Company's PGP public key for encrypted communications, please request it at the same address.

A complete vulnerability report should include the following information: a clear and detailed description of the vulnerability, including the affected asset, endpoint, or component; step-by-step instructions sufficient to reproduce the vulnerability, including any tools, scripts, or configurations used; an assessment of the potential impact and severity of the vulnerability, including any data or systems that may be affected; proof-of-concept code, screenshots, or other supporting evidence, if available and if such evidence can be provided without causing harm to the Service or its Users; and your preferred method of contact and, if applicable, your name or alias for recognition purposes.

The Company requests that all reports be submitted in English. Incomplete reports may result in delayed triage or may be closed without investigation if the Company is unable to reproduce the described behavior.

Safe Harbor

The Company will not initiate or pursue legal action, whether civil or criminal, against security researchers who discover and report vulnerabilities in good faith and in compliance with this VDP. The Company considers good-faith vulnerability research conducted in accordance with this VDP to be authorized conduct.

To qualify for safe harbor protection, researchers must comply with all of the following conditions: make a good-faith effort to avoid privacy violations, data destruction, data exfiltration, and service disruption during the course of research; refrain from accessing, modifying, deleting, or exfiltrating data belonging to other Users of the Service; refrain from conducting denial-of-service testing, brute-force attacks, or any activity that degrades the availability or performance of the Service; refrain from publicly disclosing or sharing vulnerability details with any third party prior to the Company's confirmation that the vulnerability has been remediated or a mutually agreed disclosure timeline has been established; and report the vulnerability promptly and exclusively to the Company through the channels designated in this VDP.

In the event that a researcher inadvertently accesses data belonging to another User during the course of good-faith research, the researcher shall immediately cease all further access, refrain from storing or distributing such data, and promptly notify the Company of the inadvertent access in the vulnerability report.

If a third party initiates legal proceedings against a researcher for activities conducted in compliance with this VDP, the Company will take reasonable steps to make known that such activities were authorized under this VDP.

The Company's authorization under this VDP is intended to satisfy the "authorized access" standard under the Computer Fraud and Abuse Act, 18 U.S.C. § 1030, as interpreted in Van Buren v. United States, 141 S. Ct. 1648 (2021), and is consistent with the United States Department of Justice policy declining to prosecute good-faith security research (DOJ Criminal Division, May 19, 2022).

Response Timeline

Acknowledgment: The Company shall acknowledge receipt of a vulnerability report within two (2) business days of submission.

Triage: The Company shall complete an initial assessment and classification of the reported vulnerability within five (5) business days of acknowledgment. During triage, the Company may contact the reporter to request additional information or clarification.

Remediation: The Company shall target remediation of confirmed vulnerabilities within ninety (90) calendar days of the initial report, subject to the severity, complexity, and scope of the issue. The Company will provide periodic status updates to the reporter during the remediation process.

Coordinated Disclosure: Upon successful remediation, the Company supports coordinated public disclosure of the vulnerability. The Company and the reporter shall work together in good faith to agree upon an appropriate disclosure timeline and the content of any public disclosure. The Company requests that researchers refrain from public disclosure until the Company has confirmed that the vulnerability has been fully remediated.

The Company reserves the right to adjust these timelines on a case-by-case basis in the event of extenuating circumstances, including, without limitation, vulnerabilities of exceptional complexity or those requiring coordination with upstream vendors or third-party service providers.

Recognition

The Company values the contributions of the security research community and, with the researcher's consent, will acknowledge the researcher's contribution in the Company's security acknowledgments or hall of fame, as applicable.

Researchers may request to be credited under their legal name, a pseudonym, or to remain anonymous. The Company will honor such preferences.

The Company does not currently operate a paid monetary bounty program. Vulnerability reports submitted under this VDP are made on a voluntary and good-faith basis, and no financial compensation shall be provided for reports submitted hereunder. The Company reserves the right to establish a formal bug bounty program in the future, at which time separate terms and conditions shall apply.

Out-of-Scope Activities

The following activities are expressly prohibited and shall not be considered authorized research under this VDP: any testing against systems, services, or infrastructure not owned or operated by the Company; social engineering, phishing, or pretexting directed at Company employees, contractors, agents, or Users; physical intrusion or testing of physical security controls at any location; denial-of-service or resource exhaustion attacks of any kind; testing that results in the destruction, corruption, or unauthorized modification of data; accessing, downloading, or exfiltrating data belonging to any User other than your own test accounts; introduction of malware, ransomware, backdoors, or any other malicious code into the Service; and any activity that violates applicable federal, state, or local law.

Reports describing vulnerabilities that require the execution of any of the above activities shall be evaluated on a case-by-case basis and may not qualify for safe harbor protection under this VDP.

Contact

For all vulnerability reports and security-related communications: security@thebusinessguard.com.

For general inquiries regarding this VDP or the Company's security practices: legal@thebusinessguard.com.

This Vulnerability Disclosure Policy is effective as of April 6, 2026, and may be updated from time to time at the Company's discretion. Researchers are encouraged to review this VDP before each submission to ensure compliance with the most current version.

Responsible Disclosure

The Company does not currently operate a paid bug bounty program. Reports submitted under this policy are made on a voluntary, good-faith basis.

Researchers who comply with this policy will not face legal action from the Company for their security research activities.

Please direct all vulnerability reports to security@thebusinessguard.com. Do not disclose vulnerabilities publicly before coordinating with the Company.