Security Practices and Responsible Disclosure

1. Security Framework

BowerNest is committed to maintaining the security and integrity of the platform and the personal information of our users. Our security practices are informed by and aligned with the following frameworks:

• SOC 2 (Type II): Service Organisation Control standards for security, availability, processing integrity, confidentiality, and privacy. BowerNest is actively working towards alignment, with policies, procedures, and platform architecture structured to meet these standards. Formal certification is planned as the platform matures;
• ISO 27001: International standard for information security management systems. BowerNest is actively working towards alignment, structuring our information security management practices to meet this standard;
• ISO 42001: Standard for AI management systems, relevant to our use of AI-assisted features (alignment in progress); and
• Essential Eight: The Australian Cyber Security Centre's (ACSC) Essential Eight Maturity Model for mitigating cyber security incidents.

Note: BowerNest has not yet achieved formal certification for any of the frameworks listed above. We are actively working towards alignment by structuring our policies, procedures, platform architecture, and values to meet these security and government-grade compliance standards. References to these frameworks indicate our commitment and direction, not current certification status.

2. Security Measures

BowerNest implements the following security measures:

• encryption of data in transit (TLS 1.2 or higher) and at rest (AES-256 or equivalent);
• role-based access controls with the principle of least privilege;
• multi-factor authentication for administrative access;
• regular security assessments and vulnerability scanning;
• secure software development practices, including code review and security testing;
• incident response planning and procedures;
• employee security awareness training; and
• regular backup and disaster recovery testing.

3. Responsible Disclosure Policy

BowerNest welcomes responsible disclosure of security vulnerabilities by security researchers and members of the public. If you discover a potential security vulnerability in the BowerNest platform, we ask that you report it to us in a responsible manner.

3.1 How to Report

Please report security vulnerabilities to [email protected]. Your report should include:

• a description of the vulnerability and its potential impact;
• steps to reproduce the vulnerability;
• any proof-of-concept code or screenshots; and
• your contact information for follow-up.

3.2 Our Commitment

Upon receiving a valid vulnerability report, BowerNest will:

• acknowledge receipt within three business days;
• investigate and validate the reported vulnerability;
• provide an estimated timeline for remediation;
• notify you when the vulnerability has been addressed; and
• credit you (if desired) for your responsible disclosure.

3.3 Disclosure Timeline

BowerNest requests that security researchers allow a reasonable period (up to 90 days) for us to investigate and remediate reported vulnerabilities before any public disclosure. We will work with reporters to agree on an appropriate disclosure timeline.

3.4 Safe Harbour

BowerNest will not pursue legal action against security researchers who:

• make a good faith effort to comply with this Responsible Disclosure Policy;
• avoid privacy violations, destruction of data, and interruption or degradation of our services;
• do not exploit the vulnerability beyond what is necessary to demonstrate the issue; and
• do not access, modify, or delete data belonging to other users.

4. Incident Response

BowerNest maintains an incident response plan that includes procedures for identifying, containing, investigating, and remediating security incidents. In the event of a data breach, BowerNest will comply with the Notifiable Data Breaches scheme under Part IIIC of the Privacy Act 1988 (Cth).