Information for Security Researchers

Codehof holds the security research community in extremely high regard, and welcomes the opportunity to collaborate with researchers who may have found security vulnerabilities in our products or services. This page sets out some of our general policies around security research collaboration. We welcome any questions or feedback.

Codehof does not currently offer any bug bounties or other rewards for finding or reporting security vulnerabilities. We will, however, publicly thank researchers who responsibly disclose issues to us.

If you think you’ve discovered a security issue in one of our products, please email security@codehof.com. If the details of the problem are sensitive, we welcome OpenPGP mail encrypted to key ID 7E76 0F9E E459 1007 2D76 F555 5EDA CFC8 2A71 0D95, which can be found on public keyservers, at https://pifke.org/dpifke.asc, or via Keybase. We will respond to any reports as soon as possible.

Before disclosing your issue publicly, we ask that you please give us some time to fix or mitigate the issue. In general, we think 30-90 days is fair, although we’ll do our best to fix it much sooner, especially if it’s serious.

When making a report, please try to include detailed information, such as how to reproduce the issue and the potential impact to end-users of our service.

We promise to assume good faith on your part, and ask that you do the same towards us. Reasonable people can have honest disagreements about what constitutes a vulnerability, or what “responsible” disclosure entails, or how long it should take to respond to an issue.

Regardless of your intentions, we do not authorize or condone any illegal activities or violations of our Terms of Service. If you are investigating a potential vulnerability, please make every effort to avoid violating the privacy of our users, disrupting our services, or destroying data. If necessary, we will be happy to provide you with a separate instance of our site for testing, which does not contain any live data. Our policy is to involve law enforcement if we detect any unauthorized access or denial-of-service to our production systems.

Additionally, we do not permit automated security scans of our systems, and will ignore any reports sent by bulk scanning tools. (And likely block the scanner’s IP address and/or autonomous system.)