Responsible Disclosure



Introduction


At Phylonoe, we are committed to ensuring the security and privacy of our users. We appreciate the efforts of security researchers and the broader community in helping us maintain and improve our security posture. This Responsible Disclosure Policy outlines how to report security vulnerabilities and what you can expect when you do


Reporting Security Vulnerabilities


If you discover a security vulnerability in our systems, we encourage you to report it to us promptly. Please follow the steps below to ensure your report is handled efficiently:


1. Contact Us

Please send a detailed report of the vulnerability to our security team at info@phylonoe.com. Include as much information as possible to help us understand and reproduce the issue. This includes:

  • A clear description of the vulnerability,
  • Steps to reproduce the issue,
  • Any potential impact or risks,
  • Proof of concept - if applicable,
  • Your contact information (optional but helpful).

2. Use of Encryption

If you prefer to communicate securely you can use our PGP/GPG key available on GitHub


3. Responsible Disclosure

Please do not disclose the vulnerability publicly until we have had a chance to address it. We will acknowledge receipt of your report within 3 business days and keep you updated on our progress


What to Expect


  • Acknowledgement: We will confirm receipt of your report and provide an estimated timeline for resolution
  • Response: Our security team will review and verify the vulnerability. We may contact you for additional details if needed. We aim to address critical issues as quickly as possible
  • Resolution: Once the issue is fixed, we will notify you and if applicable provide a summary of the resolution. We may also publicly acknowledge your contribution, with your permission, on our Acknowledgements page
  • Bounty: We currently do not offer a bounty. However, we value your contribution and will recognise it in accordance with our acknowledgements page

Guidelines for Reporting

  • Non-Disruptive: Do not attempt to disrupt, destroy or damage our services or data. Please perform tests in a manner that does not affect our users or operations
  • No Unauthorized access: Avoid accessing any user accounts or sensitive data unless explicitly necessary for demonstrating the vulnerability
  • Legal Compliance: Ensure that your actions comply with all applicable laws and regulations

Additional Resources

For more information you can visit our security page or reach out to the security team directly


Thank You!

We really appreciate your efforts to help us to improve our security. Responsible disclosure helps us to protect our users and maintain integrity of our services


Phylonoe Security Team