Our Commitment to Security
We take the security of our systems, data, and users seriously and are committed to maintaining a secure environment for all who interact with our platform and services. We recognize that security is an ongoing process that benefits from collaboration with the broader security community, including researchers, experts, and users who may discover potential vulnerabilities in our systems. This policy outlines our approach to receiving, evaluating, and addressing security vulnerability reports while providing clear guidelines for researchers and others who wish to report security issues responsibly.
Scope of Security Reporting
This policy covers security vulnerabilities discovered in our websites, applications, services, and infrastructure that could potentially compromise user data, system integrity, or service availability. We welcome reports of various types of security issues including but not limited to authentication bypass, data exposure, injection vulnerabilities, cross-site scripting, insecure direct object references, and other technical vulnerabilities that could be exploited maliciously. We also appreciate reports of security misconfigurations, privacy issues, and other concerns that could affect the safety and security of our users or systems.
Responsible Disclosure Guidelines
We encourage security researchers and users to follow responsible disclosure practices when reporting vulnerabilities, which includes reporting issues directly to us before disclosing them publicly or to third parties. Responsible disclosure allows us time to investigate, validate, and address security issues before they can be exploited maliciously, protecting our users and maintaining system integrity. We ask that researchers avoid accessing, modifying, or deleting user data, disrupting our services, or causing harm to our systems while investigating potential vulnerabilities, and we appreciate cooperation in limiting testing to the minimum necessary to demonstrate the security issue.
What Constitutes a Valid Security Report
Valid security reports should include sufficient detail to allow our security team to understand, reproduce, and assess the potential impact of the reported vulnerability. This includes clear descriptions of the vulnerability, step-by-step reproduction instructions, potential impact assessment, and any supporting evidence such as screenshots or proof-of-concept code. We particularly value reports that include suggested remediation approaches or security improvements, though such suggestions are not required for a report to be considered valid and actionable.
Reporting Process and Channels
Security vulnerabilities should be reported through our designated security contact channels to ensure they reach our security team promptly and are handled with appropriate confidentiality. We provide specific contact information for security reports separate from general customer support to ensure that security issues receive immediate attention from qualified personnel. When reporting security issues, please include as much relevant detail as possible while avoiding unnecessary disclosure of sensitive information that could be used maliciously if intercepted during transmission.
Response Timeline and Communication
We are committed to acknowledging receipt of security reports within two business days and providing initial assessment and response within five business days of receiving a complete and actionable report. Our response timeline for addressing validated vulnerabilities depends on the severity and complexity of the issue, with critical vulnerabilities receiving immediate attention and lower-severity issues addressed according to our internal prioritization process. We will keep reporters informed of our progress and provide updates on remediation timelines, though specific details about fixes may be limited until patches are deployed to protect against potential exploitation.
Vulnerability Assessment and Prioritization
Our security team evaluates reported vulnerabilities based on factors including potential impact, exploitability, affected systems, and the number of users who could be affected by the vulnerability. Critical vulnerabilities that could lead to widespread data exposure, system compromise, or service disruption receive the highest priority and are addressed immediately. We use industry-standard vulnerability scoring systems and our own internal risk assessment processes to ensure that resources are allocated appropriately and that the most serious security issues are resolved first.
Coordination and Public Disclosure
We work with security researchers to coordinate appropriate disclosure timelines that allow us to develop and deploy fixes while respecting the researcher’s interest in public recognition for their work. We generally prefer disclosure timelines of ninety days from initial report to public disclosure, though this may be adjusted based on the complexity of the issue and the time required for thorough testing and deployment. We support researchers who wish to publish details about resolved vulnerabilities and may provide assistance with technical accuracy and impact assessment for such publications.
Recognition and Appreciation
We value the contributions of security researchers and others who help us identify and address security vulnerabilities, and we are committed to providing appropriate recognition for these important contributions to our security posture. This may include public acknowledgment in security advisories, placement on a security researchers hall of fame, or other forms of recognition that honor the researcher’s contribution while respecting their preferences for attribution. We believe that recognizing security research contributions encourages continued collaboration and helps build a stronger security community.
Legal Safe Harbor
We will not pursue legal action against researchers who comply with this responsible disclosure policy and conduct their security research in good faith, even if their research activities might otherwise violate our terms of service or applicable laws. This safe harbor protection applies to security research activities that are conducted for the purpose of identifying and reporting security vulnerabilities rather than for malicious purposes such as data theft, service disruption, or unauthorized access for personal gain. Researchers should limit their testing to the minimum necessary to demonstrate vulnerabilities and should not access, modify, or delete user data during their research.
Prohibited Activities and Limitations
While we encourage security research, certain activities are prohibited and are not covered by our safe harbor protections, including social engineering attacks against our employees or users, physical attacks against our facilities or infrastructure, and denial of service attacks that could disrupt our services. Researchers should also avoid testing on production systems when possible and should not attempt to access user accounts or personal data beyond what is necessary to demonstrate a vulnerability. Activities that violate applicable laws or cause harm to our users or systems are not protected under this policy.
Internal Security Practices
We maintain internal security practices including regular security assessments, code reviews, penetration testing, and vulnerability scanning to identify and address security issues proactively. Our security team works closely with our development and operations teams to ensure that security considerations are integrated throughout our development and deployment processes. We also participate in security industry initiatives and maintain relationships with security vendors and experts to stay current with emerging threats and best practices.
Third-Party and Vendor Security
Our security practices extend to third-party services and vendors that have access to our systems or user data, and we encourage reports of security issues discovered in these external services when they could affect our users or systems. We work with our vendors to ensure appropriate security standards and incident response procedures, and we may coordinate with them on security vulnerability disclosure when issues affect multiple parties. Researchers who discover vulnerabilities in third-party services used by our platform should consider reporting these issues to the affected vendors as well as to us.
Continuous Improvement
We regularly review and update our security practices, including this responsible disclosure policy, based on feedback from the security community, changes in the threat landscape, and lessons learned from previous security incidents and vulnerability reports. We appreciate feedback about our security processes and disclosure practices, and we are committed to continuously improving our approach to security collaboration and vulnerability management. Our goal is to maintain security practices that protect our users while encouraging valuable security research and collaboration.
Contact Information and Resources
Security vulnerability reports should be sent to our designated security contact, and we provide specific instructions for secure communication when sensitive information must be transmitted. We maintain updated contact information and may provide additional resources such as public keys for encrypted communication or specific platforms for secure vulnerability reporting. Researchers and users with questions about this policy or our security practices are encouraged to contact our security team for clarification and guidance.