Vulnerability Disclosure Policy

Zuletzt aktualisiert am {date}
ImpressumDatenschutzAGBVulnerability Disclosure Policy

The security of our platform and the protection of our users are of utmost priority for Superchat. A key element of our security strategy is the early identification and resolution of vulnerabilities. We value collaboration with the security research community and believe this cooperation significantly contributes to the continuous improvement of our security architecture.

We encourage security researchers to confidentially report potential security vulnerabilities to our development team before disclosing them publicly. Our goal is to identify and fix vulnerabilities before they can be exploited.

Our Commitments

  • Review of All Reports: We are committed to carefully investigating and appropriately addressing all reported security issues.
  • Confidentiality: All information you provide will be treated as confidential.
  • Safe Harbour: We commit not to take legal action against security researchers who act in good faith and follow the process outlined here.
  • Recognition: With your consent, we will acknowledge your contribution in our Hall of Fame.
  • Transparency: Once a vulnerability has been resolved, we will inform affected users and publish relevant details regarding the identified security issue.

Scope

In Scope:

  • Superchat platform
  • Superchat mobile apps (iOS and Android)
  • Superchat desktop app
  • Superchat APIs and associated services
  • Superchat web applications
  • Superchat web widget
  • Superchat web app
  • Superchat reviews website

Out of Scope:

  • Third-party dependencies: Vulnerabilities in third-party systems or libraries should be reported directly to the relevant provider in accordance with their disclosure policy.
  • Denial-of-Service (DoS) attacks requiring substantial resources
  • Physical security attacks on Superchat premises
  • Social engineering attacks targeting Superchat employees
  • Spam or abuse of our services

Reporting Process

1. Submitting a Report

If you have discovered a potential security vulnerability in our products or services, please contact us via email at security@superchat.de.

Please use this channel exclusively for security reports. For general software issues, kindly contact our regular support.

2. Required Information

Please provide as much relevant information as possible:

  • Detailed Description: A concise summary of the vulnerability and its potential impact.
  • Affected Components: Specific URLs, parameters, APIs, or application sections.
  • Type of Vulnerability: e.g. XSS, CSRF, SQL Injection, Authentication Bypass.
  • Technical Environment: Operating system, browser versions, and any other relevant software needed to reproduce the issue.
  • Reproduction Steps: Detailed steps to reproduce the issue, including screenshots or videos where helpful.
  • Proof of Concept: Code or examples demonstrating the exploitability of the issue.
  • Severity: Ideally with a CVSS v3.1 score (use the CVSS Calculator).
  • Potential Fix Suggestions: If you have recommendations for a fix.
  • Your Contact Information: For follow-up questions and updates.
  • Disclosure Plans: Whether and when you plan to publish your findings.

Please submit a separate report for each discovered vulnerability.

3. Open Source Components

We use various open source components in our products. If you discover a vulnerability in such a component, we ask you to:

  • Report the issue directly to the respective open source project.
  • Inform us of the report so we can take appropriate action.

4. Responsible Conduct

When searching for security issues, please:

  • Do Not Compromise User Data: Avoid accessing, altering or deleting other users' data.
  • Minimise Interference: Limit your testing to what is necessary to demonstrate the vulnerability.
  • No DoS Attacks: Do not perform tests that could impact system availability.
  • No Automated Scans: Avoid automated vulnerability scans that may burden our systems.
  • No Social Engineering: Refrain from phishing or similar attacks against Superchat staff.

Our Response Process

  • Acknowledgement: We will acknowledge receipt of your report within 48 hours.
  • Assessment: Our security team will review the reported vulnerability and assess its severity and impact.
  • Communication: We will keep you informed of the investigation status and share our assessment with you.
  • Remediation: If the issue is confirmed, we will promptly develop a patch or other mitigation measure.
  • Verification: After implementation, we will verify the effectiveness of our remediation.
  • Disclosure: Once all mitigation measures are completed: we will notify affected users where applicable, publish relevant details in our security advisory, and acknowledge your contribution, with your consent.

Disclosure Timeline

We aim to follow this timeline:

  • Day 0: Receipt of vulnerability report
  • Day 2: Initial acknowledgement of receipt
  • Day 7: Initial assessment of the vulnerability
  • Day 30: Target for resolving the vulnerability
  • Day 90: Coordinated disclosure (unless otherwise agreed)

For complex issues, this timeline may be adjusted in coordination with the reporter.

Contact

If you have any questions regarding this policy or the reporting process, please contact our security team at security@superchat.de.

Thank you for helping secure the Superchat platform!