Responsible Disclosure of Security Vulnerabilities
No technology is ever perfect, and FarmBot believes that working with skilled security researchers and our entire community of users across the globe is crucial in identifying weaknesses in our technology. If you believe you’ve found a security issue in our product or service we ask that you notify us privately at firstname.lastname@example.org as soon as possible so that we may work with you to promptly fix the issue.
Do not publicly post the issue
Please, do NOT publicly post about the issue on GitHub, in the FarmBot forum, or in other public places on the Internet. Publicly posting a security vulnerability before a fix is developed may threaten FarmBot and its users and cause more harm than good.
No bounties at this time
At this time we do not have a bounty program and we do not offer swag or any other compensation for reported security vulnerabilities.
How to responsibly identify and disclose security issues
- Upon discovery of a security issue, privately let us know as soon as possible and we’ll make every effort to quickly resolve the issue. You can email us at email@example.com. Please include as much information as possible so that we may more quickly diagnose the root cause of the problem.
- Provide us a reasonable amount of time to resolve the issue before you make any disclosure to the public or a third-party. We request that you give us at least 30 days of time for us to recreate the issue, identify the root cause, develop and test a fix, and deploy the new system(s) to our users.
- While researching the security of our systems, we’d like to ask you to refrain from:
- Denial of service
- Social engineering (including phishing) of FarmBot staff or contractors
- Any physical attempts against FarmBot property or data centers
Thank you for helping keep FarmBot and our users safe!