This document outlines security procedures and general policies for SafetyCulture projects.
The SafetyCulture team take all security issues seriously. Thank you for improving the security at SafetyCulture. We appreciate your efforts and responsible disclosure and will make every effort to acknowledge your contributions.
Please send a detailed mail to report issues using the contact details here.
Example of details to include:
- Short description demonstrating the issue with screenshots (where applicable)
- The affected platform and scenarios
- The name and affiliation of the security researcher involved in the discovery
We will acknowledge submissions as soon as we can, indicating the next steps in handling your report. After the initial reply to your report, the security team will endeavor to keep you informed of the progress towards a fix and full announcement, and may ask for additional information or guidance.
Please note we operate a private bug bounty program and also accept submissions via this platform. Invitations for security researchers to the platform can be requested by emailing [email protected].
When the SafetyCulture security team receives a security issue report, they will assign it to a primary handler. This person will coordinate the fix and release process, and provide updates throughout where we can.
If you have any suggestions on how this process could be improved please submit a pull request.