Responsible Disclosure Policy
If you believe you have found a security vulnerability on one of our websites or projects, we encourage you to let us know right away. We will investigate all legitimate reports and do our best to fix the problem quickly. Also, let us know if you would like credit for discovering the issue. We can cite you as the discoverer if we weren't previously aware of the problem.
Before reporting, please review this page; If you are looking to report another type of issue, please use https://rasa.com/contact/ for assistance.
If you comply with the policies below when reporting a security issue to us, we will not initiate a lawsuit or law enforcement investigation against you in response to your report. We ask that:
- You give us reasonable time to investigate and mitigate an issue you report before making public any information about the report or sharing such information with others. (90 days)
- You do not interact with an individual account (including modifying or accessing data from the account) if the account owner has not consented to such actions.
- You make a good faith effort to avoid privacy violations and disruptions to others, including (but not limited to) destruction of data and interruption or degradation of our services.
- You do not exploit a security issue you discover for any reason. (This includes demonstrating additional risk, such as attempted compromise of sensitive company data or probing for further issues)
- You do not violate any other applicable laws or regulations.
We do not offer a bug bounty program.
- rasa.com domain and subdomains
- l3-ai.dev domain and subdomains
- Rasa X product
- All Rasa open source projects (github.com/RasaHQ)
Out of Scope
- Denial-of-service attacks.
- Reports indicating that our services do not fully align with "best practice", e.g. missing security headers (CSP, x-frame-options, x-prevent-xss etc) or suboptimal email related configuration (SPF, DMARC etc)
- TLS configuration weaknesses (e.g. "weak" cypher suite support, TLS1.0 support, sweet32 etc.)
- Social engineering or phishing of Rasa employees or contractors
- Any attacks against Rasa's physical property
- Any form of credentials brute-forcing is strictly forbidden
- Any services hosted by 3rd party providers and services
- Email email@example.com
- Description of the issue
- When you found the issue
- How to reproduce it
- Any thoughts on how we can mitigate the issue
- Feel free to share scripts or network traces
Last updated: 22.06.2021