SendaOne v0.17.153

Security Policy

SendaOne takes security seriously. This page describes how to report a vulnerability, what to expect in terms of response times, the limits of the responsible disclosure program and public acknowledgements of researchers who have contributed.

Reporting a vulnerability

If you have discovered a vulnerability in SendaOne, write to:

[email protected]

If your report contains sensitive information (proof-of-concept exploiting other users' data, leaked credentials, etc.) encrypt the message with the operator's public PGP key available in the repository (pending formal publication — if you need it urgently, request it via plain mail and the operator will respond with the key).

In the report please include:

Program scope

The program covers any vulnerability present in:

OUT of scope:

Bug bounty

SendaOne does NOT operate a formal bug bounty program with monetary payment at the time of writing this policy. Confirmed findings are rewarded with:

If the project grows to a point that justifies a monetary-rewards budget, we will announce it on this page.

Responsible disclosure

We commit to the following process:

  1. Confirm receipt of the report within 48 business hours.
  2. Communicate estimated severity and a mitigation plan within 5 business days.
  3. Deploy the fix to production within a timeframe proportional to severity (critical: days; high: a week; medium/low: up to 30 days).
  4. Coordinate publication of the advisory with the researcher.

The researcher commits to:

A good-faith disclosure following this process will not be subject to legal action by the operator.

Acknowledgements

The operator publicly thanks researchers who have contributed responsible reports. The list is updated with each confirmed fix:

Security measures already in place

SendaOne already implements, without need for any report:

Privacy · Terms · Contact · Versión en español