BetterGov

Reporting Vulnerabilities

If you discover a security vulnerability in BetterGov.ph, please report it responsibly by emailing [email protected]

What to Include in Your Report

  • A clear description of the vulnerability
  • Steps to reproduce the issue
  • Potential impact and severity
  • Any relevant screenshots or proof-of-concept code (if applicable)

Our Commitment

We will acknowledge your report within 48 hours and provide a detailed response within 7 days, outlining our next steps.

Scope

This security policy applies to the BetterGov.ph website, its associated services, and any related infrastructure.

Out of Scope

The following issues are considered out of scope for security reports:

  • Scam & phishing attempts involving BetterGovPh services
  • Physical security vulnerabilities
  • Social engineering attacks
  • Functional, UI, and UX bugs including:
    • Spelling mistakes
    • Formatting issues
    • Visual design inconsistencies
  • Descriptive error messages
  • HTTP error codes/pages
  • Missing security headers without practical security impact
  • Best practice recommendations without security impact
  • Version disclosure without vulnerabilities
  • Theoretical vulnerabilities without proof of exploitation

Disclosure Process

1. Initial Report

  • Submit your vulnerability report via email
  • Include all necessary details and proof of concept
  • Our team will confirm receipt of your report

2. Review and Validation

  • Our security team reviews the reported issue
  • We may ask for additional information or clarification
  • Valid reports will be confirmed and prioritized

3. Fix Development

  • Work on a fix via pull request
  • Invite you to collaborate if you're interested
  • Test the fix thoroughly
  • Coordinate the release timeline

Guidelines & Safe Harbor

Disclosure Guidelines

  • Do not disclose to others while under investigation
  • Do not exploit the vulnerability for any purpose
  • Do not access, modify, or delete data
  • Provide reasonable time for resolution
  • Follow responsible disclosure practices

Legal Safe Harbor

We will not take legal action against you if you:

  • Follow our disclosure guidelines
  • Do not compromise user data
  • Do not exploit vulnerabilities for malicious purposes
  • Report vulnerabilities promptly and responsibly