Sun over Hill

Vulnerability Disclosure Guidelines

All technology contains bugs. If you've found a security vulnerability, we'd like to patch it before publication and then acknowledge your contribution. Here we detail a few guidelines for submitting vulnerabilities.

Vulnerability Definition

A security vulnerability is defined as a software bug that would allow an attacker to perform an action in violation of an expressed security policy. A bug that enables escalated access or privilege is a vulnerability. Design flaws and failures to adhere to security best practices may qualify as vulnerabilities. Weaknesses exploiting social engineering are not considered vulnerabilities unless the Seam Team determines otherwise.

Submission Process

If you believe you have found a vulnerability, please submit a Report to [email protected] You can encrypt the content of your email using our public AGE key listed on our security page. You may choose to provide a public key as well for us to correspond back with you.

The Report should include a detailed description of your discovery with clear, concise reproducible steps or a working proof-of-concept. If you don't explain the vulnerability in detail, there may be significant delays in the disclosure process.

We will update you with significant events, including when the vulnerability has been validated, or when more information is needed from you.

Remediation & Disclosure Process

Once a vulnerability has been accepted and patched, you may make it public. We believe transparency is in the public's best interest and support this practice.

If our Security Team has evidence of active exploitation or imminent public harm, they may immediately provide remediation details to the public so that users can take protective action. We will still provide credit for your findings.

In rare circumstances, due to complexity and other factors, some vulnerabilities will require longer to remediate. In these cases, we kindly ask that the vulnerability remain non-public to ensure our Team has an adequate amount of time to address a security issue. We operate in good faith and do not seek to discredit your findings.

Public Recognition

You may receive public recognition for your find if 1) you are the first person to file a Report for a particular vulnerability, 2) the vulnerability is confirmed to be a valid security issue, and 3) you have complied with these guidelines. If you prefer to remain anonymous, we encourage you to submit under a pseudonym.