Contact: mailto:security@crowdcast.io Canonical: https://crowdcast.io/.well-known/security.txt At Crowdcast, we take the security of our live streaming platform seriously. While we work hard to keep our systems secure, we recognize that security researchers play a valuable role in identifying potential vulnerabilities. If you discover a security issue, please report it responsibly so we can protect our community of event hosts and attendees. Here is a brief list of some common out of scope vulnerabilities: - Weak password reports - Clickjacking on pages with no sensitive actions - Unauthenticated/logout/login CSRF - Attacks requiring MITM or physical access to a user's device - Attacks requiring social engineering - Any activity that could lead to the disruption of our service (DoS) - Content spoofing and text injection issues without showing an attack vector/without being able to modify HTML/CSS - Email spoofing - Missing DNSSEC, CAA, CSP headers - Lack of Secure or HTTP only flag on non-sensitive cookies - Deadlinks - User enumeration Testing guidelines: - Do not run automated scanners on our production systems without prior authorization. Contact us at security@crowdcast.io if you need to perform automated testing. - Do not access, modify, or delete data belonging to other users. - Do not perform testing that could disrupt our service or affect our users' events. Reporting guidelines: - Email your report to security@crowdcast.io - Do provide sufficient information to reproduce the problem, so we will be able to resolve it as quickly as possible. Disclosure guidelines: - In order to protect our customers, do not reveal the problem to others until we have researched, addressed and informed our affected users. What we promise: - We will respond to your report within 10 business days with our evaluation of the report and an expected resolution date. - If you have followed the instructions above, we will not take any legal action against you in regard to the report. - We will handle your report with strict confidentiality, and not pass on your personal details to third parties without your permission. - We will keep you informed of the progress towards resolving the problem. - In the public information concerning the problem reported, we will give your name as the discoverer of the problem (unless you desire otherwise). We strive to resolve all problems as quickly as possible, and we would like to play an active role in the ultimate publication on the problem after it is resolved.