We care about security. Please report any security-related issues by emailing security@gitfund.io.

Disclosure Timeline

  • We will aim to respond to your initial report as soon as possible.

  • If, for some reason, we haven't responded to your report within 24 hours, please try to get a hold of a member of the security team by asking on Slack/IRC.

  • Once a member of the security team has reviewed your report, they may ask you for more info to better understand the issue.

  • Once the security team has all the necessary info, they will make an assessment, and respond to you via email on whether it is determined by us to be a valid bug or not.

  • If the issue has been accepted as a valid bug, then we ask that you give us 45 days to fix the issue, after which you are welcome to publicly disclose the issue.

  • On the other hand, if the security team determines the issue to be invalid, you are welcome to publicly disclose it whenever you want.

Responsible Disclosure Policy

We will not initiate a lawsuit or law enforcement investigation against you in response to your report, as long as you:

  • Don't publicly disclose an issue until it has either been assessed to be invalid by our security team, or 45 days have passed since it was acknowledged as a valid issue by our security team.

  • Don't attempt to gain access to another user's account or data.

  • Don't exploit a security issue for any reason.

  • Don't perform any attacks that could impact the reliability or integrity of our services or data, e.g. denial of service attacks, spam attacks, &c.

  • Never conduct any non-technical attacks against us, our employees, our users, or our infrastructure, e.g. phishing, social engineering, physical assault, &c.

  • Don't violate any laws or our Terms of Service.

Bug Bounty Program

Due to limited resources, we do not currently offer any form of monetary reward for the reporting of bugs. We hope to be able to do so in the future as our finances improve.

In the meantime, we will recognise the reporters of all acknowledged security issues by listing their name and website on this page. Please let us know these details when you report the bug. Thank you!