Skip to content
Naomi's Documentation

Security Policy

1. Introduction

This Security Policy outlines the procedures for reporting security vulnerabilities in our applications and the terms under which we handle such reports. By participating in our security reporting process, you agree to comply with this policy.

2. Scope

This policy applies to all applications, services, and systems maintained by our organization, including but not limited to:

  • Our main websites and applications
  • All open-source projects hosted on our repositories
  • Any associated APIs or backend services

3. Reporting a Vulnerability

3.1 Reporting Channels

If you discover a security vulnerability within any of our applications or systems, please report it through one of the following secure channels:

  1. Create a private ticket on our support server
  2. Send an email to [email protected]

3.2 Public Disclosure Prohibition

Do NOT disclose the vulnerability publicly or through any public channels, including but not limited to:

  • Public GitHub issues
  • Social media platforms
  • Public forums or chat rooms
  • Blog posts or articles

3.3 Required Information

When reporting a vulnerability, please provide:

  • A detailed description of the vulnerability
  • Steps to reproduce the issue
  • Potential impact of the vulnerability
  • Any suggested mitigation or fix (if known)

4. Response Process

4.1 Acknowledgment

We will acknowledge receipt of your vulnerability report within 3 business days.

4.2 Assessment and Verification

Our security team will assess the reported vulnerability and may contact you for additional information if needed.

4.3 Resolution Timeline

We strive to resolve confirmed vulnerabilities within 90 days of the initial report, depending on the complexity and severity of the issue.

5. Disclosure Policy

5.1 Coordinated Disclosure

We practice coordinated disclosure. We will work with you to ensure that a fix is available before any public disclosure of the vulnerability.

5.2 Public Acknowledgment

With your permission, we may publicly acknowledge your contribution in discovering and reporting the vulnerability after it has been resolved.

6.1 Authorization

We authorize security research and vulnerability disclosure activities, provided they are conducted in accordance with this policy and all applicable laws.

6.2 Scope of Protection

We will not initiate legal action for accidental, good faith violations of this policy. This safe harbor applies only to activities that:

  • Comply with all aspects of this Security Policy
  • Do not compromise or attempt to compromise the privacy or safety of our users, employees, or systems
  • Do not violate any applicable laws

6.3 Limitations

This safe harbor does not apply to:

  • Vulnerabilities or information obtained through means other than security research
  • Research conducted on third-party applications or services that integrate with our systems

7. Bug Bounty Program

We do not currently offer monetary rewards or “bug bounties” for reporting security vulnerabilities. Your contributions to our security are greatly appreciated, but are on a voluntary basis.

We will gladly thank you in our Hall of Fame

8. Data Protection and Privacy

8.1 Handling of Submitted Information

Any information you provide in your vulnerability report will be handled in accordance with our Privacy Policy and applicable data protection laws.

8.2 Confidentiality

We will treat all vulnerability reports as confidential and will not share the information beyond what is necessary to address the reported issue.

9. Compliance with Laws and Regulations

All security research and vulnerability disclosure activities must comply with all applicable local, state, and federal laws, as well as any relevant international laws.

10. Policy Updates

We reserve the right to update or modify this Security Policy at any time. Any changes will be effective immediately upon posting the updated policy on our website or repository.

11. Contact Information

For any questions regarding this Security Policy, please contact us at [email protected].

By reporting a security vulnerability to us, you acknowledge that you have read, understood, and agree to this Security Policy.