How to report security issues to Taskstreamer, and what to expect in return.
Version 1.0 · Effective 24 April 2024
Taskstreamer takes the security of our platform seriously. We are a small company and we rely on the security community to help us find and fix issues we have missed. This policy explains how you can report a security vulnerability to us, what you can expect from us when you do, and the protections we offer to researchers who work with us in good faith.
We welcome reports from anyone. You do not need to be a professional security researcher. If you have noticed something that looks wrong, we want to hear from you.
This policy covers the following Taskstreamer properties:
The following are not covered. Reports focusing on these are unlikely to be treated as security issues:
Send your report to security@taskstreamer.com.
A useful report contains:
Our response commitments. We treat every report seriously, respond quickly, and keep you informed. The commitments below are what we hold ourselves to. If we fall short on any of them, please tell us.
| Stage | Our commitment |
|---|---|
| Acknowledgement | Within 2 business days of receipt. |
| Initial triage | Within 5 business days. We confirm reproduction, assign a severity, and tell you whether the report is in scope. |
| Ongoing updates | At least every 10 business days until the issue is resolved or closed. |
| Remediation target | Critical: 5 days. High: 10 days. Medium: 15 days. Low: 15 days if remediation available. We will explain any extension. |
| Closure notice | We tell you when the issue is fixed and what we shipped. |
We also commit to treating you with respect, engaging in good faith discussion of the technical details, and recognising your contribution publicly if you want that (see section 6).
If you act in good faith, we will not come after you. Research that follows this policy is authorised by Taskstreamer. We will not pursue civil action, initiate a criminal complaint, or support a criminal complaint by others against you for work that fits within the rules of engagement below. If a third party brings an action against you for activity we authorised, we will make it known to them that your activity was conducted in compliance with this policy.
This safe harbour has limits. It does not apply to activity that exceeds the rules of engagement in section 7, nor to activity that violates Dutch or EU law independent of Taskstreamer's authorisation. If you are unsure whether something you want to test falls inside this policy, contact security@taskstreamer.com first and ask. We would rather have a conversation than learn about it afterwards.
We maintain a public acknowledgements page at taskstreamer.com/security-acknowledgements. If your report leads to a fix and you would like public recognition, we will add your name (or a handle of your choice) together with the date and a short description of the class of issue. Reports that identified novel or high impact issues may receive a more detailed writeup, coordinated with you.
Taskstreamer does not currently run a paid bug bounty programme. We do sometimes send a thank you in the form of credit or other courtesy, and we always credit researchers in any security advisory we publish, unless they prefer to remain anonymous.
For your work to be covered by the safe harbour, please follow these rules:
This policy is governed by Dutch law. Taskstreamer BV is established in the Netherlands. Nothing in this policy constitutes a waiver of Taskstreamer's rights under applicable law, and nothing requires you to waive yours.
We may update this policy. The current version is always available at taskstreamer.com/vulnerability-disclosure. Material changes will be dated and summarised in the version history at the bottom of this page.
Email: security@taskstreamer.com
| Version | Date | Author | Change summary |
|---|---|---|---|
| 1.0 | 24 April 2024 | Taskstreamer | Initial publication. |
Report it to security@taskstreamer.com. We acknowledge within two business days and will keep you in the loop until it is fixed.