Issue 09/Legal/Security & Responsible Disclosure

How we protect the platform.

Our security posture, how to report a vulnerability responsibly, and what we commit to in return. No automated responses. Real people, real follow-through.

Plain-English Summary
  1. 01
    AES-256, TLS 1.2+, RBAC.

    Encryption at rest and in transit. Role-based access controls. Monitoring and patch management.

  2. 02
    Found something? Tell us first.

    Email security@arbibase.com before going public. We investigate every report.

  3. 03
    Safe harbor for good-faith research.

    Follow this policy and act in good faith. We won't pursue legal action.

  4. 04
    Clear out-of-scope rules.

    DoS, brute-force, social engineering, and third-party service issues are out of scope.

  5. 05
    No bug bounty (yet).

    We don't run a public program, but we acknowledge valid reports at our discretion.

  6. 06
    Breach? We notify fast.

    We investigate, contain, and notify affected users as required by FIPA, CA, and NY SHIELD.

§ 01

Introduction

ArbiBase, LLC ("ArbiBase," "we," "us," or "our") is committed to maintaining the security and integrity of our platform at https://arbibase.com and related services (collectively, the "Services"). This policy outlines our security practices and how security researchers may report vulnerabilities responsibly. We value coordinated disclosure.

§ 02

Our security commitment

We implement commercially reasonable administrative, technical, and physical safeguards to protect account information, verification records, personal data, platform infrastructure, payment workflows, and confidential business data.

Encryption at rest
AES-256 for all stored data.
Encryption in transit
TLS 1.2+ enforced across all endpoints.
Access controls
Role-based access; least-privilege enforced.
Authentication
MFA available for all accounts.
Monitoring
Logging and automated anomaly alerting.
Patch management
Regular updates applied to all infrastructure.

No system is 100% secure, but we continuously improve our security posture.

§ 03

Reporting vulnerabilities

If you believe you have discovered a vulnerability affecting the Services, please report it immediately and privately to:

security@arbibase.com
admin@arbibase.com

Include in your report

  • A detailed description of the vulnerability
  • Steps to reproduce the issue
  • The affected URL or system component
  • Screenshots or proof-of-concept (if applicable)
  • Your contact information
Please don't go public first We request that you do not publicly disclose vulnerabilities until we have had a reasonable opportunity to investigate and remediate. We will acknowledge receipt and keep you updated.
§ 04

Responsible disclosure guidelines

When conducting security research, you agree to: act in good faith; avoid privacy violations, service disruption, and data destruction; not access or modify data beyond what is necessary to demonstrate the issue; not exploit vulnerabilities for personal gain; not conduct DoS testing; and not attempt social engineering against ArbiBase staff.

Testing must not

  • Access accounts that are not your own
  • Extract large volumes of data
  • Circumvent authentication safeguards
  • Introduce malicious code
§ 05

Safe harbor

ArbiBase will not pursue legal action against individuals who discover vulnerabilities, report them responsibly, follow this policy, act in good faith, and do not exploit vulnerabilities beyond proof-of-concept. This safe harbor applies only when all guidelines are followed. Activities that violate law or cause harm are not protected.

§ 06

Out of scope

The following are generally out of scope and will not be investigated:

  • Issues in third-party services outside our control
  • Spam reports
  • Brute-force login attempts
  • Denial-of-service attacks
  • Physical attacks on infrastructure
  • Social engineering attempts against staff
  • Previously disclosed issues
§ 07

Response process

Upon receiving a vulnerability report, we will: acknowledge receipt; investigate the issue; assess severity and risk level; determine remediation steps; and communicate status updates where appropriate. Response timelines vary by complexity and severity. We aim to acknowledge all reports within 5 business days.

§ 08

No bug bounty program

ArbiBase does not currently operate a public bug bounty program. Responsible disclosure does not guarantee compensation. However, we appreciate valid reports and may acknowledge researchers at our discretion.

§ 09

Data breach response

In the event of a confirmed data breach affecting user information, ArbiBase will: investigate promptly; contain the incident; mitigate risks; notify affected users where legally required (FIPA, CA Civil Code § 1798.82, NY SHIELD Act); and comply with all applicable notification laws. Notification does not constitute an admission of liability.

§ 10

User security responsibilities

Users are responsible for maintaining strong, unique passwords; keeping login credentials confidential; securing their own devices; avoiding credential sharing; using updated browsers; and not exporting confidential data insecurely. ArbiBase is not responsible for breaches caused by user negligence.

§ 11

Policy updates

We may update this Security & Responsible Disclosure Policy periodically. The "Last revised" date at the top reflects the most recent version. Continued use of the Services constitutes acceptance of updates.

§ 12

Contact

ArbiBase, LLC
1111b South Governors Ave STE 48151
Dover, DE 19904 US
security@arbibase.com
support@arbibase.com
admin@arbibase.com
+1 (844) 939-3594

Security research

Found something? Tell us.

We take every report seriously. Email our security team before going public and we'll work with you to resolve it responsibly.

Revision history

  • 2026-05-01v2.0 · Full editorial redesign. Added AES-256/TLS detail, named breach notification statutes, safe harbor callout.
  • 2025-10-14v1.1 · Added out-of-scope list and user responsibilities section.
  • 2025-06-01v1.0 · Initial release.