Puranjay Savar Mattas
8176118c0f
- README.md: Product overview + issue tracker landing - SECURITY.md: Responsible disclosure policy - CODE_OF_CONDUCT.md: Community guidelines - CONTRIBUTING.md: How to contribute - SUPPORT.md: Comprehensive support guide - Issue templates: Bug, feature, support, docs, security All references updated to evercatch.dev domain.
3.0 KiB
3.0 KiB
Security Policy
Reporting a Vulnerability
We take security seriously. If you discover a security vulnerability, please report it responsibly.
🔒 How to Report
Email: security@evercatch.dev
DO NOT:
- ❌ Open a public GitHub/Gitea issue
- ❌ Disclose the vulnerability publicly
- ❌ Exploit the vulnerability
DO:
- ✅ Email us with detailed information
- ✅ Give us reasonable time to fix it
- ✅ Follow responsible disclosure practices
📧 What to Include
Please include as much information as possible:
- Description - What is the vulnerability?
- Impact - What could an attacker do?
- Steps to Reproduce - How can we reproduce it?
- Proof of Concept - Code, screenshots, or examples
- Suggested Fix - If you have ideas
- Your Contact Info - For follow-up questions
⏱️ Our Response Process
- Acknowledgment - We'll respond within 24 hours
- Assessment - We'll evaluate severity and impact
- Updates - We'll provide updates every 48 hours
- Fix - We'll develop and test a patch
- Disclosure - We'll coordinate public disclosure with you
- Credit - We'll credit you in our security advisory (if desired)
🎯 Severity Levels
| Level | Description | Response Time |
|---|---|---|
| Critical | Data breach, RCE, privilege escalation | 24 hours |
| High | Auth bypass, SQL injection, XSS | 48 hours |
| Medium | CSRF, info disclosure, DoS | 1 week |
| Low | Security misconfigurations | 2 weeks |
💰 Bug Bounty Program
We currently don't have a formal bug bounty program, but we may provide:
- 🎁 Swag (t-shirts, stickers)
- 💳 Free subscription upgrades
- 💵 Monetary rewards for critical vulnerabilities (case-by-case)
- 🏆 Public recognition (if desired)
✅ In Scope
- API endpoints (api.evercatch.dev)
- Web dashboard (app.evercatch.dev)
- Authentication/authorization
- Data storage and access controls
- Webhook forwarding logic
- Billing system
❌ Out of Scope
- Social engineering attacks
- Physical attacks
- DoS/DDoS attacks
- Spam or abuse of service
- Issues in third-party services (Stripe, SendGrid, etc.)
- Theoretical vulnerabilities without proof of concept
🛡️ Security Measures We Take
- Encryption - TLS 1.3 in transit, AES-256 at rest
- Authentication - API keys hashed with bcrypt
- Rate Limiting - Per-tier limits prevent abuse
- Input Validation - All inputs sanitized
- Monitoring - 24/7 monitoring for suspicious activity
- Audits - Regular security audits
- Compliance - SOC2 Type II (planned Q2 2026)
📜 Security Advisories
Past security advisories: evercatch.dev/security
📞 Contact
- Security Team: security@evercatch.dev
- PGP Key: Download
- Status Page: status.evercatch.dev
Thank you for helping keep Evercatch and our users safe! 🔐