We do our utmost best to build secure systems, but we're human too, so we sometimes make mistakes. If you believe you found a security vulnerability, we appreciate if you let us know and disclose it in a responsible manner.
Responsible Disclosure Policy
From security researchers, we kindly ask you:
- Do not perform disruptive tests on any publicly hosted instance. Testing on a local instance of our open source code is preferred.
- Do not attempt to gain access to other user accounts or violate other's privacy in any way.
If you found a security threat, we kindly ask you, as a security researcher, to:
- Contact us to report any security vulnerabilities found in any of our community websites, our community network deployments or our open source repositories.
- Contact us privately through the means listed on this page.
- Support us in solving the issue (if you have the technical skills to do so).
- Refrain from requesting compensation for reporting vulnerabilities.
- Wait for 14 days after we released and deployed a fix before announcing or publishing the details of the vulnerability.
- Provide us with links to your announcements and/or publications regarding the vulnerability.
What we will do upon receipt of a vulnerability report:
- We will acknowledge receipt of your findings and send you updates on our progress.
- We will publicly announce the fix of the vulnerability on our incidents page 14 days after the fix has been released and deployed. In this announcement we will thank you (or "a security researcher") for finding the vulnerability and for following the rules of responsible disclosure.
How to report an issue
Please contact us via our dedicated security email:
We can also be reached on Slack, and a number of other communication platforms.
The responsible disclosure policy refers to the following scope: