How to Report a Security Problem
If you feel the issue is urgent or has some sensitive element involved, please send your report directly to firstname.lastname@example.org. To ensure confidentiality in the reporting process, please use our public key. Doing this will also give us a secure way to respond to your concerns, usually within 24 hours. Please feel free to follow up or give us a ping on Twitter if you are concerned over getting an initial acknowledgment.
If your issue isn't urgent or sensitive, you should submit a support request where it will be handled through our normal support processes.
How We Manage Security Issues
To keep up with the latest in web security and to ensure our defences are effective, we work with security researchers. If you are a security researcher who is aware of a web security flaw that may affect our platforms and products, please let us know. Submitted reports will be…
We will inform you of the best way to keep track of the issue.
We will look into the issue and work out how it affects our systems. Although we won't disclose the issues until the investigation is completed, we will work with you so that all involved fully understand the issue.
We will publicly thank the reporter for discovering and helping us correct a security issue on this page.
Our products are built on a wide range of technologies and issues reported may be an issue with one of those technologies. Where that is the case, we will work with the communities and companies behind those technologies to ensure that they are protected from the same issue and avoid a situation where early public disclosure leaves others at risk. With that in mind, we ask for your understanding and patience in advance and assure you that is such a step is necessary that we will keep you informed.
Only noteworthy reporting is eligible for acknowledgement on the site. The following classes of report are ineligible:
- Reports from automated tools, scripts and tools - Many tools are noisy and generate false positives. If you believe that you have found an issue, to be noteworthy the problem must be accompanied by details of a practical exploit to eliminate those false positives.
- SSL cipher issues - We only accept cipher issues as noteworthy if they are accompanied with details of a practical exploit leveraging that cipher issue.
We'd like to thank the following security researchers and companies whom have worked with us to keep Compose as secure as possible by finding, fixing, and responsibly disclosing security flaws:
- iSEC Partners
- Nishant Raj
- Kamil Sevi
- Swapnil A. Thaware
- Jitendra Jaiswal
- Ahmed Jerbi (Web Plus)
- Milan A Solanki
- Satheesh Raj (@rsatheesh523)
- Joel Melegrito (@Superngorks)
- Madhu Akula
- DJ (WritingOddity)
- C Vishnu Vardhan Reddy (Vishnu_dfx).
- Jan Kulinski, MetricWire
- Dan Gilkerson
- Shawar Khan