Responsible disclosure
Strengthening security together.
At Staatic, ensuring the security of our systems is paramount. Despite our rigorous efforts to strengthen security measures, potential vulnerabilities may still exist.
If you identify a vulnerability, please inform us immediately. Your insights are invaluable in enabling prompt remedial actions to ensure the security of our clients and platform.
We request your adherence to the following steps:
Share your findings by sending an email to cert@staatic.com. Utilize PGP with our public key (AE6FFF38) to encrypt the information, ensuring its confidentiality and security.
Important: only reports encrypted with PGP will be considered.
Provide comprehensive details to replicate the issue, facilitating a prompt resolution. Provide the IP address or URL of the affected system and a descriptive account of the vulnerability. Elaborate explanations may be needed for complex issues.
Abstain from exploiting the identified vulnerability; avoid extracting excessive data, altering, or deleting information belonging to others.
Avoid employing tactics such as physical security breaches, social engineering, distributed denial of service attacks, spam, or involving third-party applications.
Don’t perform any actions that generate a significant volume of unnecessary data or users, such as bulk registration of accounts or content, which can negatively impact our services or data integrity.
Maintain confidentiality; refrain from disclosing the issue to anyone until it is effectively resolved.
Our commitments:
Expect a comprehensive response within five business days, including an assessment and a projected timeline for issue resolution.
We are committed to safeguarding your confidentiality; your sensitive information will not be shared with third parties without explicit consent.
Stay informed; we’ll provide consistent updates on the progress of addressing the identified issue.
Your contribution will be acknowledged in public disclosures, crediting you as the identifier of the issue, unless anonymity is preferred.
Adhering to the provided guidelines ensures immunity from legal repercussions associated with your disclosure.
As a token of appreciation for your assistance, we offer a reward for every notification of a non-trivial security issue previously unknown to us. The value of the reward is determined by the severity of the breach and the quality of the report.
We are committed to addressing all issues as quickly as possible and intend to contribute significantly to the comprehensive disclosure of the resolved problem.
Our content is adapted from the text by Floor Terra, published under a Creative Commons Attribution 3.0 license. The original work can be accessed at https://responsibledisclosure.nl.