Reality check!

Iterative puts a lot of effort into keeping its systems, platforms and tools as secure as possible. Yet, we understand that no matter how much effort we put into system security, bugs and accidents can happen and security vulnerabilities can always be discovered in our products.

Thus, we welcome and appreciate the assistance of the global security community in helping us keeping our systems and tools safe.

Responsible Disclosure Policy

We appreciate responsible disclosure of security bugs & vulnerabilities, and encourage a reporting process which involves collaborating with us to address the issue. This document details our stance on externally reported security issues in our products (open and closed source) and infrastructure.

<aside> ⚠️ If you discover a vulnerability, we would like you to inform us as soon as possible so we can take appropriate action as quickly as possible.

</aside>

Guidelines

• Email your findings to [email protected].
• Provide sufficient information to reproduce the problem. Those are critical for us to understand it & assess its impact so we will be able to resolve it as quickly as possible.
• If you feel this is necessary, you can use this GPG key, to encrypt the contents of your emails.
• Do not take advantage of the vulnerability or breach you have discovered. For example, by downloading more data than necessary to demonstrate the vulnerability, or deleting or modifying other people’s data.
• Do not disclose the bug/vulnerability to others until it has been resolved by us and confirmed. We take all reports extremely seriously and will get back to you as soon as possible.
• Out of concern for the availability of our services to all users, please do not attempt to carry out DoS attacks, leverage black hat SEO techniques, spam people, employ social engineering, carry attacks on physical security systems or perform other similarly questionable actions. Whenever possible, please try to test the vulnerabilities locally without impacting other users. We also discourage the use of any vulnerability testing tools that automatically generate significant volumes of traffic
• If you have created a Studio account for security research purposes, please send us the account name and email you used.

We promise

• To respond to your report within 3 business days.
• To respond with our evaluation within 7 business days.
• If you followed the instructions above, we will not take legal action against you in regard to your report. We would adhere to Github’s Safe Harbor Policy.
• We will handle your report with strict confidentiality and will never pass on your personal details to third parties without your permission.
• We will keep you informed of the progress towards resolving the problem.