The iTwin.js team takes security bugs in the iTwin.js library seriously. We appreciate your efforts to responsibly disclose your findings and will make every effort to acknowledge your contributions.

To report a security issue, email security@bentley.com, and include the words SECURITY and iTwin.js in the subject line.

The iTwin.js team will send back a response indicating the next steps in handling your report. After the initial reply to your report, the security team will keep you informed of the progress towards a fix and full announcement. We may ask for additional information or guidance.

Report security concerns in third-party modules to the person or team maintaining that module.

We ask that:

• You give us reasonable time to investigate and mitigate an issue you report before making public any information about the report or sharing such information with others.
• You do not interact with an individual account (which includes modifying or accessing data from the account) if the account owner has not consented to such actions.
• You make a good faith effort to avoid privacy violations and disruptions to others, including (but not limited to) unauthorized access to or destruction of data, and interruption or degradation of our services.
• You do not exploit a security issue you discover for any reason. (This includes demonstrating additional risk, such as attempted compromise of sensitive company data or probing for additional issues.)
• You do not intentionally violate any other applicable laws or regulations, including (but not limited to) laws and regulations prohibiting the unauthorized access to data.
• For the purposes of this policy, you are not authorized to access user data or company data, including (but not limited to) personally identifiable information and data relating to an identified or identifiable natural person.

For more information, please read Bentley's responsible disclosure guidelines.