Bug Reporting
We take all security bugs related to our code and our infrastructure very seriously. Thank you for improving the security of our projects and services. We appreciate your efforts and responsible disclosure, and will make every effort to acknowledge your contributions.
Please report any security bugs by contacting us directly.
We will make every effort to keep you informed of the progress towards a fix and announcement, and we may ask for additional information or guidance.
Please report any security bugs in third-party projects to the person or team developing that project.
The following are out of scope and should not be attacked/performed:
- Excessive Automated Scans
- Denial of Service Attacks
- Social Engineering Attacks
- Reports against infrastructure outside our control
- Accessing user or admin accounts not owned by the tester
Disclosure Policy
When we receive a security report, we will coordinate the fix, release, and announcement process, involving the following steps:
- Confirm the problem and determine affected services.
- Audit infrastructure and/or code to find any potential similar problems.
- Prepare fixes for all releases currently in production, which will be implemented as quickly as possible.
Additionally, if user data was directly affected or compromised, we will inform affected users to the best of our ability via email and/or a website notification with more information about the incident.