Responsible disclosure

Data security is a top priority for Colabra, and we believe in working with skilled security researchers to identify any weaknesses.

If you believe you've found a security vulnerability in Colabra's service, please notify us; we will work with you to resolve the issue promptly.

Disclosure policy

Let us know as soon as possible when you've discovered a potential vulnerability by emailing us at [email protected]. We vow to acknowledge your email within 24 hours.

Provide us a reasonable amount of time to resolve the issue before disclosing it to the public or a third party. We aim to resolve critical issues within one week of disclosure.

Make a good faith effort to avoid violating privacy, destroying data, or interrupting or degrading the Colabra service. Please only interact with domains you own or for which you have explicit permission from the account holder.

Targets

  • lab.colabra.app
  • Colabra for iOS and Android

Colabra does not accept vulnerabilities in third-party services, unless specific mitigations from Colabra are required to remediate the issue.

Exclusions

While researching, we'd like you to refrain from:

  • Denial of service
  • Spamming
  • Social engineering or phishing of Colabra employees or contractors
  • Any attacks against Colabra's physical property or data centers
  • Any attacks against Colabra's users
  • Use of automated scanning tools

The following potential issues are not considered in scope:

  • Lack of rate limiting on any resources
  • Password policy issues, including lack of upper limit on passwords
  • HTTP 404 or other error codes and pages
  • Banner or version disclosure of any kind
  • Presence of common public files, such as robots.txt or files in the .well-known directory
  • CSRF on anonymous resources, or any CSRF issue which does not include an exploit showing control over sensitive actions
  • Clickjacking issues, unless an exploit showing account takeover or disclosure of sensitive resources is provided
  • Self-XSS issues
  • SPF/DKIM/DMARC configuration issues

Rewards

Colabra will make a determination of a possible reward based on the impact and quality of submission. Colabra will consider potential impact to the business and clients, ease of exploitation and ability to mitigate the issue internally. We ask that submissions contain the following in order to help expedite the process:

  • Clear description of the issue, including a possible attack scenario
  • Reproduction steps that demonstrate a positive test case showing the presence of the vulnerability
  • Recommended fixes, mitigations or workarounds for the reported issues