|
|
@@ -0,0 +1,50 @@
|
|
|
+ente believes that working with security researchers across the globe is crucial
|
|
|
+to keeping our users safe. If you believe you've found a security issue in our
|
|
|
+product or service, we encourage you to notify us (security@ente.io). We welcome
|
|
|
+working with you to resolve the issue promptly. Thanks in advance!
|
|
|
+
|
|
|
+# Disclosure Policy
|
|
|
+
|
|
|
+- Let us know as soon as possible upon discovery of a potential security issue,
|
|
|
+ and we'll make every effort to quickly resolve the issue.
|
|
|
+- Provide us a reasonable amount of time to resolve the issue before any
|
|
|
+ disclosure to the public or a third-party. We may publicly disclose the issue
|
|
|
+ before resolving it, if appropriate.
|
|
|
+- Make a good faith effort to avoid privacy violations, destruction of data, and
|
|
|
+ interruption or degradation of our service. Only interact with accounts you
|
|
|
+ own or with explicit permission of the account holder.
|
|
|
+- If you would like to encrypt your report, please use the PGP key with long ID
|
|
|
+ `E273695C0403F34F74171932DF6DDDE98EBD2394` (available in the public keyserver
|
|
|
+ pool).
|
|
|
+
|
|
|
+# In-scope
|
|
|
+
|
|
|
+- Security issues in any current release of ente. This includes the web app,
|
|
|
+ desktop app, and mobile apps (iOS and Android). Product downloads are
|
|
|
+ available at https://ente.io. Source code is available at
|
|
|
+ https://github.com/ente-io.
|
|
|
+
|
|
|
+# Exclusions
|
|
|
+
|
|
|
+The following bug classes are out-of scope:
|
|
|
+
|
|
|
+- Bugs that are already reported on any of ente's issue trackers
|
|
|
+ (https://github.com/ente-io), or that we already know of. Note that some of
|
|
|
+ our issue tracking is private.
|
|
|
+- Issues in an upstream software dependency (ex: Flutter, Next.js etc) which are
|
|
|
+ already reported to the upstream maintainer.
|
|
|
+- Attacks requiring physical access to a user's device.
|
|
|
+- Self-XSS
|
|
|
+- Issues related to software or protocols not under ente's control
|
|
|
+- Vulnerabilities in outdated versions of ente
|
|
|
+- Missing security best practices that do not directly lead to a vulnerability
|
|
|
+- Issues that do not have any impact on the general public
|
|
|
+
|
|
|
+While researching, we'd like to ask you to refrain from:
|
|
|
+
|
|
|
+- Denial of service
|
|
|
+- Spamming
|
|
|
+- Social engineering (including phishing) of ente staff or contractors
|
|
|
+- Any physical attempts against ente property or data centers
|
|
|
+
|
|
|
+Thank you for helping keep ente and our users safe!
|
vishnukvmd