--- title: Security Policy --- **Effective 7 July 2024** ## 1. Introduction This Security Policy outlines the procedures for reporting security vulnerabilities in our applications and the terms under which we handle such reports. By participating in our security reporting process, you agree to comply with this policy. ## 2. Scope This policy applies to all applications, services, and systems maintained by our organization, including but not limited to: - Our main websites and applications - All open-source projects hosted on our repositories - Any associated APIs or backend services ## 3. Reporting a Vulnerability ### 3.1 Reporting Channels If you discover a security vulnerability within any of our applications or systems, please report it through one of the following secure channels: 1. Create a private ticket on our [support server](https://chat.nhcarrigan.com) 2. Send an email to `security@nhcarrigan.com` ### 3.2 Public Disclosure Prohibition Do NOT disclose the vulnerability publicly or through any public channels, including but not limited to: - Public GitHub issues - Social media platforms - Public forums or chat rooms - Blog posts or articles ### 3.3 Required Information When reporting a vulnerability, please provide: - A detailed description of the vulnerability - Steps to reproduce the issue - Potential impact of the vulnerability - Any suggested mitigation or fix (if known) ## 4. Response Process ### 4.1 Acknowledgment We will acknowledge receipt of your vulnerability report within 3 business days. ### 4.2 Assessment and Verification Our security team will assess the reported vulnerability and may contact you for additional information if needed. ### 4.3 Resolution Timeline We strive to resolve confirmed vulnerabilities within 90 days of the initial report, depending on the complexity and severity of the issue. ## 5. Disclosure Policy ### 5.1 Coordinated Disclosure We practice coordinated disclosure. We will work with you to ensure that a fix is available before any public disclosure of the vulnerability. ### 5.2 Public Acknowledgment With your permission, we may publicly acknowledge your contribution in discovering and reporting the vulnerability after it has been resolved. ## 6. Legal Safe Harbor ### 6.1 Authorization We authorize security research and vulnerability disclosure activities, provided they are conducted in accordance with this policy and all applicable laws. ### 6.2 Scope of Protection We will not initiate legal action for accidental, good faith violations of this policy. This safe harbor applies only to activities that: - Comply with all aspects of this Security Policy - Do not compromise or attempt to compromise the privacy or safety of our users, employees, or systems - Do not violate any applicable laws ### 6.3 Limitations This safe harbor does not apply to: - Vulnerabilities or information obtained through means other than security research - Research conducted on third-party applications or services that integrate with our systems ## 7. Bug Bounty Program We do not currently offer monetary rewards or "bug bounties" for reporting security vulnerabilities. Your contributions to our security are greatly appreciated, but are on a voluntary basis. We will gladly thank you in our [Hall of Fame](/community/hall-of-fame) ## 8. Data Protection and Privacy ### 8.1 Handling of Submitted Information Any information you provide in your vulnerability report will be handled in accordance with our Privacy Policy and applicable data protection laws. ### 8.2 Confidentiality We will treat all vulnerability reports as confidential and will not share the information beyond what is necessary to address the reported issue. ## 9. Compliance with Laws and Regulations All security research and vulnerability disclosure activities must comply with all applicable local, state, and federal laws, as well as any relevant international laws. ## 10. Policy Updates We reserve the right to update or modify this Security Policy at any time. Any changes will be effective immediately upon posting the updated policy on our website or repository. ## 11. Contact Information For any questions regarding this Security Policy, please contact us at `security@nhcarrigan.com`. By reporting a security vulnerability to us, you acknowledge that you have read, understood, and agree to this Security Policy.