Responsible disclosure.

If you've found a vulnerability in this website or in the Bifrost kiosk software, we want to hear about it. Report it privately and we'll work with you.

How to report

Email security@bifrost.au with as much detail as you can share: what you found, how to reproduce it, and the impact as you understand it. A short write-up is fine — we'll follow up with questions.

Scope

• This website (bifrost.au) and its subdomains
• The Bifrost kiosk operating system and software
• Any systems we operate that are reachable from the internet

Out of scope: third-party services we use (report those to the respective vendors), social engineering of our staff, physical attacks on our facilities.

Our commitment

• We acknowledge every report within 72 hours.
• We will not pursue legal action against researchers acting in good faith within the scope above.
• We'll keep you informed as we investigate and fix.
• With your permission, we credit you publicly when the fix ships.

Acknowledgements

Researchers who have helped improve Bifrost's security will be listed here.