We take the security of Smithy seriously and we appreciate your help in keeping
our service safe for everyone. If you have discovered a security vulnerability,
we would greatly appreciate you disclosing it to us in a responsible manner.
Reporting a security issue
If you have discovered a possible vulnerability, please email us at
hello@smithy.app. Please include as much detail as possible, such as:
- A description of the vulnerability and its potential impact
- Steps to reproduce the issue
- Any relevant screenshots or proof-of-concept code
We will acknowledge your report within 24 hours and work with you to assess
and understand the scope of the issue. We aim to provide a resolution timeline
within 5 business days of acknowledgement.
Scope
The following are in scope for responsible disclosure:
- The Smithy web application and its associated services
- The Smithy Slack bot and its API integrations
- Authentication and authorization vulnerabilities
- Data exposure or leakage issues
The following are out of scope:
- Denial of service attacks
- Social engineering or phishing attacks against Smithy employees or users
- Vulnerabilities in third-party services (Slack, Paddle, etc.)
- Automated scanning or testing that degrades service quality
Safe harbor
We will not take legal action against researchers who discover and report
vulnerabilities in good faith, provided that:
- You do not access, modify, or delete data belonging to other users
- You do not publicly disclose the vulnerability before we have had a reasonable
opportunity to address it
- You make a good faith effort to avoid disrupting Smithy's services
- You comply with all applicable laws
What to expect
- Acknowledgement of your report within 24 hours
- An assessment and resolution timeline within 5 business days
- Ongoing communication as we work to resolve the issue
- Credit for your discovery, if you wish, once the issue is resolved
Contact
For all security-related reports, please contact us at
hello@smithy.app.
Security emails are treated with the highest priority.