Vulnerability Disclosure Policy
Maintaining the security of our applications and networks is a high priority for Chattermill. If you have information related to security vulnerabilities of Chattermill products and services, please submit a report in accordance with the guidelines below. Thank you for helping keep Chattermill and our customers safe!
If you follow the guidelines in this Vulnerability Disclosure Policy when conducting security research and reporting an issue to us, we commit not to pursue or support any legal action related to your research and work with you to understand and resolve the issue quickly (including an initial confirmation of your report within 72 hours of submission).
Chattermill's Vulnerability Disclosure Policy applies to security vulnerabilities discovered in any web services or other public facing software running on *.chattermill.io or *.chattermill.xyz domains.
Our security team rapidly investigates all reported security issues. If you believe you’ve discovered a bug in Chattermill’s security, please get in touch with information about the vulnerability and detailed steps on how to replicate it. The Chattermill security team will review your submission and respond within 72 hours. You must give us 30 days (starting from the day of a vulnerability submission) to address the security issue you raise before making any part of it public.
- You agree that any and all information acquired or accessed by you as part of your security research activities is confidential to Chattermill and you shall hold the Confidential Information in strict confidence and shall not copy, reproduce, sell, assign, license, market, transfer or otherwise dispose of, give or disclose such information to third parties or use such information for any purposes other than for security research activities according to this Vulnerability Disclosure Policy.
- You acknowledge and agree that any and all information you encounter is owned by Chattermill or its third party providers, clients or customers. You have no rights, title or ownership to any information that you may encounter.
- You agree to perform research only within the scope set out in this Vulnerability Disclosure Policy.
- You agree not to modify or delete Chattermill-hosted data permanently.
- You agree not to access intentionally non-public Chattermill data any more than is necessary to demonstrate the vulnerability.
- You agree not to conduct DDoS attacks or otherwise disrupt, interrupt or degrade our internal or external services.
- You agree not to share confidential information obtained from Chattermill with any third party.
- You agree not to test Chattermill’s website and services for spam, social engineering or denial of service issues. Your testing must not violate any law, or disrupt or compromise any data that is not your own.
- You agree not to send phishing emails to, or use other social engineering techniques against, anyone, including Chattermill staff, vendors, partners or clients.
- Chattermill may modify the terms of this policy or terminate the policy at any time.