Disclosure Policy

Updated
September 15, 2022

As a security company, security is our priority.

We strive to work with security researchers to make sure they disclose vulnerabilities in a way that doesn’t put anyone at risk.

Our commitment

We respect the time and effort it takes to find and report security issues, and we are committed to making sure that all the reports are promptly and appropriately reviewed.

The program

If you’ve found a potential security issue in our product and/or service, we encourage you to notify us by following the responsible disclouse policy outlined here.

Disclosure

  • If you’ve discovered a potential vulnerability, please let us know by emailing us at security@listen.dev. We will acknowledge your email within 5 business days and provide you with the next steps.

  • Provide us with a reasonable amount of time (minimum 30 days) to resolve the issue before disclosing it to the public or to a third party. We aim to resolve critical security issues within 10 business days from the disclosure.

  • Avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with the written permission of the account holder.

  • We are generally glad to publicly disclose reports 2 weeks after shipping the release which contains the fix to the security issue you disclosed to us.

Scope

This program only applies to the listen.dev domain, to its platform, and to the mex.listen.dev subdomain.

Should you find anything regarding other subdomains, feel free to contact us anyway, and we will be glad to evaluate your findings accordingly to this program if they apply.

Bounties

  • $0 — We don’t think you’ve discovered a security threat or issue.
  • $50 — Congratulations, you’ve discovered a minor security problem. We do not plan to fix it as soon as possible, still, we think it represents a security threat that will need attention shortly.
  • $500 — Oh, things are getting serious. Thank you for providing us the opportunity to make our platform safer for our users: we will prioritize the fix of this security issue in the next scheduled release.
  • $1000 — You’ve discovered a really serious threat, something that forces us to review our release schedule, shift our focus to it, and work to release a fix as soon as possible with maximum priority.

Exclusions

We would like you to refrain from:

  • DoS attacks
  • Spamming
  • Social engineering (e.g., phishing) of Garnet Labs Inc. employees or contractors
  • Any physical attempts against the Garnet Labs Inc.’s physical properties