Data security is a top priority for Colabra, and we believe in
with skilled security researchers to identify any weaknesses.
If you believe you've found a security vulnerability in Colabra's service, please notify us; we will work with you to resolve the issue promptly.
Let us know as soon as possible when you've discovered a potential vulnerability by emailing us at [email protected]. We vow to acknowledge your email within 24 hours.
Provide us a reasonable amount of time to resolve the issue before disclosing it to the public or a third party. We aim to resolve critical issues within one week of disclosure.
Make a good faith effort to avoid violating privacy, destroying data, or interrupting or degrading the Colabra service. Please only interact with domains you own or for which you have explicit permission from the account holder.
Colabra for iOS and Android
Colabra does not accept vulnerabilities in third-party services, unless specific mitigations from Colabra are required to remediate the issue.
While researching, we'd like you to refrain from:
Denial of service
Social engineering or phishing of Colabra employees or contractors
Any attacks against Colabra's physical property or data centers
Any attacks against Colabra's users
Use of automated scanning tools
The following potential issues are not considered in scope:
Lack of rate limiting on any resources
Password policy issues, including lack of upper limit on passwords
HTTP 404 or other error codes and pages
Banner or version disclosure of any kind
Presence of common public files, such as robots.txt or files in the .well-known directory
CSRF on anonymous resources, or any CSRF issue which does not include an exploit showing control over sensitive actions
Clickjacking issues, unless an exploit showing account takeover or disclosure of sensitive resources is provided
SPF/DKIM/DMARC configuration issues
Colabra will make a determination of a possible reward based on the impact and quality of submission. Colabra will consider potential impact to the business and clients, ease of exploitation and ability to mitigate the issue internally. We ask that submissions contain the following in order to help expedite the process:
Clear description of the issue, including a possible attack scenario
Reproduction steps that demonstrate a positive test case showing the presence of the vulnerability
Recommended fixes, mitigations or workarounds for the reported issues