Vulnerability Disclosure Program
We value the security of our users of "Q, ChatGPT for Slack" and recognize the importance of partnering with the security community. This Vulnerability Disclosure Program outlines how to report vulnerabilities in a responsible manner.
This program covers vulnerabilities found within the following:
- Our homepage (here) hosted on Vercel.
- Our Slack app servers hosted on Heroku.
Other specific systems or third-party components may be out of scope. If you have any questions, you can email us, invite email@example.com to Slack Connect from your workspace to join Slack Connect with us. Slack Connect, a free service by Slack, enables direct messaging between workspaces. We're here to help!
3. Reporting a Vulnerability
If you believe you've found a security vulnerability in one of our products or platforms, we encourage you to notify us. We welcome working with you to resolve the issue promptly.
Report vulnerabilities via email to firstname.lastname@example.org and specify whether the issue is related to the homepage or app server. Include:
- Description of the vulnerability
- Steps to reproduce the vulnerability
- Suggested mitigation or remediation options for the vulnerability
- Your name/handle and a link for recognition
- Supporting material such as screenshots, logs, or videos
- Potential impact assessment
4. Guidelines for Responsible Disclosure
In participating in this program, we ask that you:
- Make a good faith effort to avoid privacy violations, service degradation, and data destruction.
- Refrain from disclosing the vulnerability publicly before a mutually agreed-upon timeframe.
- Allow us reasonable time to address the issue before public disclosure.
5. Legal Considerations
By participating in this program, you agree to:
- Not violate any other applicable laws or regulations.
- Not engage in activities that may cause unnecessary harm or violate legal agreements
- Cooperate with our team in resolving the vulnerability.
6. Recognition and Rewards
While we do not offer monetary rewards, we will acknowledge your contribution in our security documentation, or other public recognition deemed appropriate by our team.
7. Response Timeline
We will acknowledge receipt of your report within 48 hours, indicating that we have received your information. We will also keep you informed of our progress in resolving the issue.
Vulnerabilities that fall out of the above scope may not be eligible for recognition. Examples include:
- Denial of service attacks
- Social engineering (including phishing) of "Q, ChatGPT for Slack" staff or contractors
- Physical attacks against "Q, ChatGPT for Slack" property or data centers
- Vulnerabilities in third-party applications or platforms
- Vulnerabilities that are not reproducible or involve unsupported browsers or platforms
9. Contact Us
If you have any questions, you can email us, invite email@example.com to Slack Connect from your workspace to join Slack Connect with us. Slack Connect, a free service by Slack, enables direct messaging between workspaces. We're here to help!