We care about security. Please report any security-related issues by emailing [email protected].
-
We will aim to respond to your initial report as soon as possible.
-
If, for some reason, we haven't responded to your report within 24 hours, please try to get hold of a member of the security team by asking on Slack.
-
Once a member of the security team has reviewed your report, they may ask you for more info to better understand the issue.
-
Once the security team has all the necessary info, they will make an assessment and respond to you via email on whether it is determined by us to be a valid bug or not.
-
Once the issue has been accepted as a valid bug, we ask that you give us 21 days to fix the issue, after which you are welcome to publicly disclose the issue.
-
On the other hand, if the security team determines the issue to be invalid, you are welcome to publicly disclose it whenever you want.
We will not initiate a lawsuit or law enforcement investigation against you in response to your report, as long as you:
-
Don't publicly disclose an issue until it has either been explicitly assessed to be invalid by our security team, or 21 days have passed since it was acknowledged as a valid issue by our security team.
-
Don't attempt to gain access to another user's account or data, or the data or infrastructure of a host.
-
Don't exploit a security issue for any reason.
-
Don't perform any attacks that could impact the reliability or integrity of the network/platform, our services, or data, e.g. denial of service attacks, spam attacks, data corruption, &c.
-
Never conduct any non-technical attacks against us, our collaborators, our users, or our infrastructure, e.g. phishing, social engineering, physical assault, &c.
Due to limited resources, we do not currently offer any form of monetary reward for the reporting of bugs. We hope to be able to do so in the future as our finances improve.
In the meantime, we will publicly recognise the reporters of all acknowledged security issues by listing their name and website on a dedicated project page. Please let us know these details when you report the bug. Thank you!