Security is core to our values, and we value the input of external security researchers acting in good faith to help us maintain a high standard for the security privacy of our users and systems. This policy sets out our definition of good faith in the context of finding and reporting security vulnerabilities, as well as what you can expect from us in return for your effort, skill, and dedication.
To responsibly report a vulnerability, please
We require that all security researchers to:
If you follow these guidelines when reporting an issue to us, we commit to:
When working with us according to this policy, you can expect us to:
The vulnerabilities listed here are explicitly eligible for our security program. Any design or implementation issue that substantially affects the confidentiality or integrity of user data is likely to be in scope for the program. Common examples include:
While this list represents our primary focus for security research, we are interested in reports for all of our software and dependencies especially if it impacts reasonably sensitive user data.
This can include any open source libraries, software, or third-party components. At our discretion, we will recognize reports not included in the In-Scope Vulnerabilities list.
The following are considered out of scope for our security program and will not be rewarded:
To encourage vulnerability research and to avoid any confusion between legitimate research and malicious attack, we ask that you attempt, in good faith, to:
When conducting vulnerability research according to this policy, we consider this research conducted under this policy to be:
You are expected, as always, to comply with all applicable laws. If legal action is initiated by a third party against you and you have complied with this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.
If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through one of our Official Channels before going any further.
We are committed to timely correction of vulnerabilities. However, we recognize that public disclosure of a vulnerability in absence of a readily-available corrective action likely increases versus decreases risk. Accordingly, we require that you refrain from sharing information about discovered vulnerabilities for 90 calendar days after you have received our acknowledgement of receipt of your report. If you believe others should be informed of the vulnerability prior to our implementation of corrective actions, we require that you coordinate in advance with us.
We may share vulnerability reports with the Cybersecurity and Infrastructure Security Agency (CISA), as well as any affected vendors. We will not share names or contact data of security researchers unless given explicit permission. We may modify the terms of this policy at any time entirely at our discretion.
Please contact us at firstname.lastname@example.org prior to conducting research if you are unsure if a specific test method is inconsistent with or unaddressed by this policy.
Last Update: January 31, 2022