We care very deeply about fixing bugs and vulnerabilities, and addressing concerns as soon as possible. We generally roll out solutions to mission-critical problems within hours of confirming them.
How can I report a bug or vulnerability?
- Through Intercom, by using the chat bubble on the bottom-right of any Conduit page while logged in. This gives us the most context about the problem.
- Through any error page, by clicking "Report the problem to us" or "Tell us what happened". Your browser may also automatically send us redacted information about the problem.
- Via email, to [email protected] (our root domain name, conduithq.com)
What rules should we follow when finding or reporting problems?
As adapted from Medium's bug disclosure policy, you should follow these rules:
- Give us reasonable time to respond before making any information about the security issue public.
- Don't attempt to gain access to another user's account or data.
- Don't perform any attack that might harm the integrity or reliability of our services or data. DDoS or spam attacks are not allowed.
- Don't impact other users with your testing, including testing for vulnerabilities on accounts you do not own. We may suspend your account if you do so.
- Don't use scanners or automated tools to find vulnerabilities. We may suspend your account if you do so.
- Non-technical attacks-- such as social engineering; phishing; physical attacks against employees, users, or infrastructure-- do not count as bugs or vulnerabilities. Please do not attempt them.
In turn, Conduit will follow these rules:
- We will keep you updated as we work to fix the problem you report.
- We will not take legal action against you if you follow these rules and act in good faith.
Does Conduit have a bug bounty?
We do not have a paid bug bounty at this time.