We at CometChat Inc. (“CometChat”) are committed to ensuring the security of our software and protecting the information of our customers and their users. We understand and acknowledge that no system is completely secure, and thus, we appreciate the work of security researchers in identifying vulnerabilities. To facilitate this, we are announcing our Vulnerability Disclosure Program (VDP).
Program Scope
This program covers all software, web services, and systems owned and operated by CometChat. We accept vulnerability reports from all sources such as independent security researchers, industry partners, vendors, customers and consultants. CometChat defines a security vulnerability as an unintended weakness or exposure that could be used to compromise the integrity, availability or confidentiality of our products and services.
However, this program does not include any third-party systems or services integrated with our software, unless explicitly stated otherwise.
Disclosure Guidelines
We request that all security researchers:
Share the details of any vulnerabilities found, including the steps required to reproduce and validate the vulnerability. This may include screenshots, script output, and console commands.
Respect user privacy by not accessing or modifying user data without express consent.
Not exploit any vulnerability discovered, beyond the minimal amount of testing required.
Keep the details of any discovered vulnerabilities confidential until we have had reasonable time to address them.
Do not submit a high volume of low-quality reports.
Rewards
While we do not provide a monetary reward for vulnerability disclosure, we appreciate the work of security researchers in making our software more secure. We will acknowledge their contributions in any public disclosure of the vulnerabilities.
Reporting
Please report any vulnerabilities found to security@cometchat.com. Include as much information as possible, including a description of the vulnerability and steps for reproduction.
Response
Upon receiving a vulnerability report, we will:
Confirm receipt of the report within 3 business days.
Investigate the reported vulnerability and confirm its existence.
Provide a timeline for fix and disclosure dependent on the severity of the vulnerability.
Keep the researcher informed of our progress towards fixing the vulnerability.
Legal Safe Harbor
We will not initiate legal action against researchers for security research conducted consistent with this policy.
We are committed to addressing all reported vulnerabilities in a timely and comprehensive manner. We appreciate the work of the security community in helping us maintain the safety and integrity of our systems. Thank you for your collaboration and understanding.