Security Disclosure Policy
We take the security of our applications seriously. If you believe you have discovered a security vulnerability, we encourage you to report it to us responsibly.
How to Report
Please send your findings to security@chief.app and include:
- A description of the vulnerability
- The affected applications or components
- Steps to reproduce the issue
- Any relevant screenshots or proof-of-concept code
- Your contact information (optional, but helpful for follow-up questions)
If you prefer to use PGP for secure communication, our public key is available from our security.txt.
What to Expect
- We will acknowledge receipt of your report within 5 business days
- We will investigate and work to address confirmed vulnerabilities promptly
- We will keep you informed of our progress where possible
- We ask that you give us reasonable time to address the issue before any public disclosure
Guidelines
We ask that security researchers:
- Do not access, modify, or delete data belonging to others
- Do not disrupt or degrade our services
- Do not use automated scanning tools excessively
- Act in good faith and avoid privacy violations
No Bug Bounty Program
We do not operate a bug bounty or reward program. We are grateful for responsible disclosure but are unable to offer financial compensation or other rewards for vulnerability reports. By submitting a report, you acknowledge that you do so voluntarily with no expectation of payment.
Safe Harbour
We will not pursue legal action against researchers who discover and report vulnerabilities in good faith, following the guidelines above.