Security Vulnerability Disclosure Policy
We consider the security of our users and our platform a top priority. If you believe that you have discovered a potential vulnerability on our platform or in any APIs, apps or servers or any other assets please inform us via email@example.com . We would like to know about it so we can take steps to address it as quickly as possible.
We would appreciate your help in security by revealing your findings in accordance with this policy.
Do and Don’t:
- E-mail your findings to firstname.lastname@example.org . Encrypt your findings using PGP key to prevent this critical information from falling into the wrong hands.
- Do not exploit the vulnerability you have discovered,by downloading more data than necessary to demonstrate the vulnerability or deleting or modifying other people’s data.
- Do not reveal the problem to others until it has been resolved.
- Do not use attacks on physical security, social engineering, distributed denial of service, spam or applications of third parties.
- Do provide sufficient information to reproduce the problem, so we will be able to resolve it as quickly as possible. Usually, the IP address or the URI of the affected system and a description of the vulnerability will be sufficient, but complex vulnerabilities may require further explanation.
- Do provide your contact information, in case of further communication is needed to resolve the vulnerability.
What we promise:
- We will try respond to your report within 7 days with our evaluation of the report and an expected resolution date.
- We will handle your report with strict confidentiality, and not pass on your personal details to third parties without your permission.
- We will keep you informed of the progress towards resolving the problem.
- PGP public key - pgp.txt