# Security Policy ## Reporting a Vulnerability **We take security seriously.** If you discover a security vulnerability, please report it responsibly. ### 🔒 How to Report **Email:** [security@evercatch.dev](mailto:security@evercatch.dev) **DO NOT:** - ❌ Open a public GitHub/Gitea issue - ❌ Disclose the vulnerability publicly - ❌ Exploit the vulnerability **DO:** - ✅ Email us with detailed information - ✅ Give us reasonable time to fix it - ✅ Follow responsible disclosure practices ### 📧 What to Include Please include as much information as possible: - **Description** - What is the vulnerability? - **Impact** - What could an attacker do? - **Steps to Reproduce** - How can we reproduce it? - **Proof of Concept** - Code, screenshots, or examples - **Suggested Fix** - If you have ideas - **Your Contact Info** - For follow-up questions ### ⏱️ Our Response Process 1. **Acknowledgment** - We'll respond within 24 hours 2. **Assessment** - We'll evaluate severity and impact 3. **Updates** - We'll provide updates every 48 hours 4. **Fix** - We'll develop and test a patch 5. **Disclosure** - We'll coordinate public disclosure with you 6. **Credit** - We'll credit you in our security advisory (if desired) ### 🎯 Severity Levels | Level | Description | Response Time | |-------|-------------|---------------| | **Critical** | Data breach, RCE, privilege escalation | 24 hours | | **High** | Auth bypass, SQL injection, XSS | 48 hours | | **Medium** | CSRF, info disclosure, DoS | 1 week | | **Low** | Security misconfigurations | 2 weeks | ### 💰 Bug Bounty Program We currently don't have a formal bug bounty program, but we may provide: - 🎁 Swag (t-shirts, stickers) - 💳 Free subscription upgrades - 💵 Monetary rewards for critical vulnerabilities (case-by-case) - 🏆 Public recognition (if desired) ### ✅ In Scope - API endpoints (api.evercatch.dev) - Web dashboard (app.evercatch.dev) - Authentication/authorization - Data storage and access controls - Webhook forwarding logic - Billing system ### ❌ Out of Scope - Social engineering attacks - Physical attacks - DoS/DDoS attacks - Spam or abuse of service - Issues in third-party services (Stripe, SendGrid, etc.) - Theoretical vulnerabilities without proof of concept ### 🛡️ Security Measures We Take - **Encryption** - TLS 1.3 in transit, AES-256 at rest - **Authentication** - API keys hashed with bcrypt - **Rate Limiting** - Per-tier limits prevent abuse - **Input Validation** - All inputs sanitized - **Monitoring** - 24/7 monitoring for suspicious activity - **Audits** - Regular security audits - **Compliance** - SOC2 Type II (planned Q2 2026) ### 📜 Security Advisories Past security advisories: [evercatch.dev/security](https://evercatch.dev/security) ### 📞 Contact - **Security Team:** security@evercatch.dev - **PGP Key:** [Download](https://evercatch.dev/pgp) - **Status Page:** [status.evercatch.dev](https://status.evercatch.dev) --- **Thank you for helping keep Evercatch and our users safe!** 🔐