Security & vulnerability disclosure

Effective: May 9, 2026

This page is published by Mini Parakeet LLC (doing business as Fazr, "we" or "us") and describes how to report a security issue in bddr.ai and what we commit to in return.

How to report

If you've found a security issue in bddr.ai, email security@bddr.ai. Include:

  • A clear description of the issue and potential impact.
  • Steps to reproduce, ideally with a minimal proof-of-concept.
  • Any affected URLs, extension versions, or components.
  • Your preferred method of credit, if you'd like to be recognized.

If you want to encrypt the report, email us for a PGP key.

In scope

  • The bddr.ai Chrome extension (all currently published versions).
  • api.bddr.ai — our Cloudflare Worker backend.
  • bddr.ai and fazr.ai websites.

Out of scope

  • Amazon's own systems and the Amazon Advertising API — report those to Amazon.
  • Third-party services we rely on (Cloudflare, Anthropic, LemonSqueezy) — report those to the vendor.
  • Issues requiring physical access to a user's device.
  • Social engineering of our team, customers, or vendors.
  • Denial-of-service testing against our backend at scale. If you're exploring capacity issues, coordinate first by email.
  • Findings that require a rooted/jailbroken browser environment or the installation of additional malicious software.

Safe harbor

If you follow this policy, we won't pursue legal action against you and we'll do our best to work with you. Specifically:

  • We consider good-faith security research, conducted within the scope above, to be authorized activity.
  • We'll waive any potential DMCA claim arising from the research.
  • We won't file complaints with law enforcement over good-faith testing that complies with this policy.

In return: don't access or modify other users' data; don't destroy or corrupt data; don't degrade service for others; don't disclose the issue publicly until we've had a reasonable chance to fix it (see below).

Coordinated disclosure

Our commitments:

  • Acknowledge your report within 5 business days.
  • Keep you updated as we investigate.
  • Aim to remediate within 90 days for issues we confirm as in-scope. This isn't a guarantee — complex issues may take longer, and we'll tell you if that's the case.
  • Coordinate public disclosure with you, if you want one.

Please don't publicly disclose the issue until we've released a fix or otherwise agreed on a disclosure date.

Recognition

With your permission, we'll credit you in a security acknowledgments section on this page. Tell us how you'd like to be named (real name, handle, company affiliation).

No bug bounty program

We don't currently offer cash rewards for vulnerability reports. We deeply appreciate researchers who help us find and fix issues — the recognition above and the coordinated-disclosure process are what we're able to offer at this stage.

Our security practices (high-level)

  • TLS 1.2+ everywhere.
  • HMAC-SHA-256 signing on AI Guide requests; license verification before any AI request is forwarded.
  • Local-first architecture — the Service is designed to minimize data flowing through our backend.
  • Least-privilege access to production, secrets managed via Wrangler.
  • Dependency updates tracked through Dependabot; automated security advisories.
  • Version-controlled deployments through GitHub Actions.

Changes

We may update this policy from time to time. Material changes are posted with a revised effective date.

Related documents

Terms of Service · Privacy Policy · Acceptable Use Policy

Revision history

  • April 14, 2026 — Initial version.