31 lines
1.2 KiB
Markdown
31 lines
1.2 KiB
Markdown
# Security Policy
|
|
Chatwoot is looking forward to working with security researchers across the world to keep Chatwoot and our users safe. If you have found an issue in our systems/applications, please reach out to us.
|
|
|
|
## Reporting a Vulnerability
|
|
|
|
We use [huntr.dev](https://huntr.dev/) for security issues that affect our project. If you believe you have found a vulnerability, please disclose it via this [form](https://huntr.dev/bounties/disclose).
|
|
|
|
This will enable us to review the vulnerability, fix it promptly, and reward you for your efforts.
|
|
|
|
If you have any questions about the process, feel free to reach out to security@chatwoot.com.
|
|
|
|
|
|
## Out of scope
|
|
|
|
Please do not perform testing against Chatwoot production services. Use a self hosted instance to perform tests.
|
|
|
|
We consider the following to be out of scope, though there may be exceptions.
|
|
|
|
- Missing HTTP security headers
|
|
- Self XSS
|
|
- HTTP Host Header XSS without working proof-of-concept
|
|
- Incomplete/Missing SPF/DKIM
|
|
- Denial of Service attacks
|
|
- DNSSEC
|
|
- Social Engineering attacks
|
|
|
|
If you are not sure about the scope, please create a report.
|
|
|
|
## Thanks
|
|
|
|
Thank you for keeping Chatwoot and our users safe. 🙇
|