We care very deeply about fixing bugs and vulnerabilities, and addressing concerns as soon as possible. We generally roll out solutions to mission-critical problems within hours of confirming them.

How can I report a bug or vulnerability?

  • Through Intercom, by using the chat bubble on the bottom-right of any Conduit page while logged in. This gives us the most context about the problem.
  • Through any error page, by clicking "Report the problem to us" or "Tell us what happened". Your browser may also automatically send us redacted information about the problem.
  • Via email, to [email protected] (our root domain name, conduithq.com)

What rules should we follow when finding or reporting problems?

As adapted from Medium's bug disclosure policy, you should follow these rules:

  • Give us reasonable time to respond before making any information about the security issue public.
  • Don't attempt to gain access to another user's account or data.
  • Don't perform any attack that might harm the integrity or reliability of our services or data. DDoS or spam attacks are not allowed.
  • Don't impact other users with your testing, including testing for vulnerabilities on accounts you do not own. We may suspend your account if you do so.
  • Don't use scanners or automated tools to find vulnerabilities. We may suspend your account if you do so.
  • Non-technical attacks-- such as social engineering; phishing; physical attacks against employees, users, or infrastructure-- do not count as bugs or vulnerabilities. Please do not attempt them.

In turn, Conduit will follow these rules:

  • We will keep you updated as we work to fix the problem you report.
  • We will not take legal action against you if you follow these rules and act in good faith.

Does Conduit have a bug bounty?

We do not have a paid bug bounty at this time.

Did this answer your question?