Coordinated Vulnerability Disclosure Policy
Berserk ApS welcomes security research that helps us keep customers
safe. This page explains how to report a vulnerability, what we
commit to, and what we ask of reporters in return.
For current public status, see
Security Status.
What's in scope
- The software deliverables distributed by Berserk ApS and any source
code under the
berserkdb/ GitHub organization.
- The
bzrk.dev website and bzrk.dev subdomains operated by
Berserk ApS.
What's out of scope
- Customer-deployed instances of Berserk that we do not operate. If
you have found something while running Berserk in your own
environment, the report still helps us — please file it. But we
will not investigate the customer's instance directly without the
customer's invitation.
- Third-party services we use (sub-processors). Report those to the
service owner; if you also need us to coordinate, copy us in.
- Volumetric or denial-of-service tests against any production system.
We will not authorize or help with these.
- Social engineering of Berserk personnel.
- Physical attacks on Berserk infrastructure.
How to report
Email security@bzrk.dev. Please include, where you can:
- A description of the vulnerability.
- A proof-of-concept or steps to reproduce.
- The affected version(s) or commit SHA.
- Your contact info and how (or whether) you'd like to be credited.
- Any embargo deadline you've already set.
We accept reports in English. PGP encryption is available on request.
We don't currently run a paid bug-bounty program. We do credit
researchers in published advisories with their consent, and we welcome
returning researchers.
What we commit to
| Step | Target |
|---|
| Acknowledge receipt | Within 2 business days. |
| Triage outcome (confirmed, severity, scope) | Within 5 business days of receipt. |
| Status updates while we're working on a fix | At least every 14 days unless we agree otherwise. |
| Coordinated public disclosure | At fix release, within a default 90-day window from receipt — sooner if the issue is being actively exploited, later if mutually agreed for a legitimate technical reason. |
| Public credit (with consent) | In the published advisory. |
What we ask reporters to do
- Test only against your own deployment of Berserk, or with the
permission of the deployment owner.
- Avoid privacy violations, data destruction, or service degradation.
- Don't leverage the vulnerability beyond what's necessary to confirm
it.
- Hold off on public disclosure until we've had a chance to fix and
notify affected customers — see "embargo" below.
If you act in good faith within these guidelines, Berserk ApS will
not pursue legal action against you for the report.
Embargo
Default embargo is 90 days from the date we receive the report.
Within that window we coordinate the fix, backport to supported
releases, and notify customers under DPA at least 5 business days
before public disclosure where possible.
We may shorten the embargo when:
- The issue is being actively exploited in the wild.
- Independent disclosure is imminent and beyond our control.
We may extend the embargo, with the reporter's agreement, when:
- A fix requires a non-trivial upstream change in a third-party
dependency.
- Coordination with a third-party vendor is required and they need
more time.
After disclosure
Once an advisory is public:
- The advisory is published on the affected GitHub repository as a
GitHub Security Advisory; a CVE is requested where appropriate.
- The change-log on this page lists the public ID and a link.
- The fix is tagged in a release; container images carry the patch.
Change log
This is the first publication of this policy.
| Date | Change |
|---|
| 2026-04-29 | Initial publication. |
- Vulnerability reports:
security@bzrk.dev
- Website security.txt:
/.well-known/security.txt
- Other security questions:
security@bzrk.dev
- General contact:
hello@bzrk.dev