Skip to main content
SECURITY: RESPONSIBLE_DISCLOSURE

Security / Responsible Disclosure

Last Updated: January 9, 2026

We take security seriously. If you discover a security vulnerability, please report it responsibly.

Reporting Security Issues

If you discover a security vulnerability:

  1. Do Not:
    • Exploit the vulnerability beyond what is necessary to demonstrate it
    • Access or modify data that does not belong to you
    • Disrupt services or impact other users
    • Publicly disclose the vulnerability before we have addressed it
  2. Do:
    • Report it to us immediately through Technical Support (select "Security Issue")
    • Provide detailed information about the vulnerability
    • Include steps to reproduce the issue (if applicable)
    • Give us reasonable time to fix the issue before public disclosure

What to Include in Your Report

Please provide:

  • Description: Clear description of the vulnerability
  • Impact: Potential impact if exploited
  • Steps to Reproduce: Detailed steps to reproduce the issue (if applicable)
  • Proof of Concept: Code or examples demonstrating the vulnerability (if safe to share)
  • Suggested Fix: Any suggestions for fixing the issue (optional but appreciated)

Our Response

We will:

  • Acknowledge receipt of your report within 48 hours
  • Investigate the issue promptly
  • Keep you informed of our progress
  • Work to fix the issue as quickly as possible
  • Notify you when the issue is resolved

Timeline: We aim to address critical vulnerabilities within 7-14 days, though complex issues may take longer.

Responsible Disclosure Timeline

We follow a responsible disclosure process:

  1. Report: You report the vulnerability to us
  2. Investigation: We investigate and confirm the issue
  3. Fix: We develop and test a fix
  4. Deployment: We deploy the fix to production
  5. Disclosure: After the fix is deployed, we may publicly acknowledge the issue and your contribution (with your permission)

Request: Please allow us at least 30 days to address the issue before public disclosure. We may request additional time for complex issues.

Recognition

We appreciate security researchers who help us improve our security. With your permission, we may:

  • Publicly acknowledge your contribution (without revealing sensitive details)
  • Add you to a security acknowledgments page
  • Thank you in our security updates

We do not offer monetary rewards, but we value the security community's contributions.

Out of Scope

The following are generally out of scope for security reporting:

  • Social engineering attacks
  • Physical security issues
  • Denial of service (DoS) attacks
  • Issues requiring physical access to systems
  • Issues in third-party services we use
  • Spam or content issues (use Report Issue instead)

Contact Us

To report a security vulnerability:

Important: Please use the contact form rather than email for security reports, as it helps us track and prioritize issues.