At Comitas, we take security vulnerabilities seriously and are committed to ensuring the safety and privacy of our users and their data. We believe that collaboration with security researchers and the wider community is crucial in identifying and addressing potential vulnerabilities. This policy outlines our approach to receiving, evaluating, and addressing reports of security vulnerabilities.
Reporting a Vulnerability
If you have discovered a potential security vulnerability within any of our systems, products, or services, we encourage you to responsibly disclose it to us. We request that you follow these guidelines when reporting a vulnerability:
- Contact us: Please notify us of the vulnerability by sending an email to firstname.lastname@example.org. Please refrain from publicly disclosing any details of the vulnerability until we have had a reasonable opportunity to investigate and address it.
- Provide necessary details: Include a clear and concise description of the vulnerability, along with any steps or proof of concept (PoC) that can help us reproduce and understand the issue.
- Your contact information: Include your name or pseudonym, contact information (email address or preferred method of communication), and any preferred acknowledgment or attribution for the discovery.
- Responsible disclosure: We kindly request that you give us a reasonable amount of time to investigate and address the reported vulnerability before making any public disclosures or sharing the information with others.
Guidelines for Researchers
To ensure a collaborative and constructive experience for security researchers, we adhere to the following guidelines:
- Act in good faith: Engage in responsible vulnerability disclosure, respecting the security and privacy of our users and their data throughout the process.
- Legal compliance: Do not engage in any activity that may violate any applicable laws or regulations during your research.
- Scope: Focus your efforts on finding vulnerabilities within our systems, products, or services specified within our scope. Please refrain from conducting any destructive testing or causing harm to our users, infrastructure, or data.
- Non-invasive testing: Do not attempt to access, modify, or delete any user data beyond what is necessary to demonstrate the vulnerability.
- Confidentiality: Keep any information or data obtained during your research confidential and ensure it is only shared with us for the purpose of vulnerability disclosure.
Upon receiving a vulnerability report, we commit to the following:
- Acknowledgment: We will acknowledge the receipt of your report within 2 business days and provide you with an initial assessment of the report.
- Investigation: Our security team will promptly investigate the reported vulnerability, employing reasonable efforts to reproduce and validate the issue.
- Communication: We will maintain open lines of communication with you throughout the process, providing updates on the progress of the investigation and steps taken to address the vulnerability.
- Resolution and Attribution: We will make reasonable efforts to address and resolve the reported vulnerability, and, if applicable, acknowledge and attribute your responsible disclosure in our public acknowledgments.
- Respect and Collaboration: We value the contributions of security researchers and will treat all interactions with respect and professionalism.
Comitas commits to not initiate any legal action against security researchers for discovering and reporting security vulnerabilities according to this policy. We expect researchers to adhere to the guidelines outlined above to qualify for this commitment.
This policy does not grant permission or authorization to perform any actions that may violate any applicable laws or regulations.