2022-06-28 15:24:11 +00:00
|
|
|
# Security
|
2022-07-12 14:32:27 +00:00
|
|
|
|
2023-06-28 17:06:00 +00:00
|
|
|
Contact: [security@cal.com](mailto:security@cal.com)
|
2022-06-28 15:24:11 +00:00
|
|
|
|
|
|
|
Based on [https://supabase.com/.well-known/security.txt](https://supabase.com/.well-known/security.txt)
|
|
|
|
|
2023-06-28 17:06:00 +00:00
|
|
|
At Cal.com, we consider the security of our systems a top priority. But no
|
|
|
|
matter how much effort we put into system security, there can still be
|
|
|
|
vulnerabilities present.
|
2022-06-28 15:24:11 +00:00
|
|
|
|
2023-06-28 17:06:00 +00:00
|
|
|
If you discover a vulnerability, we would like to know about it so we can take
|
|
|
|
steps to address it as quickly as possible. We would like to ask you to help us
|
|
|
|
better protect our clients and our systems.
|
2022-06-28 15:24:11 +00:00
|
|
|
|
2023-06-28 17:06:00 +00:00
|
|
|
## Out of scope vulnerabilities
|
2022-06-28 15:24:11 +00:00
|
|
|
|
2022-07-12 14:32:27 +00:00
|
|
|
- Clickjacking on pages with no sensitive actions.
|
|
|
|
- Unauthenticated/logout/login CSRF.
|
|
|
|
- Attacks requiring MITM or physical access to a user's device.
|
|
|
|
- Any activity that could lead to the disruption of our service (DoS).
|
2023-06-28 17:06:00 +00:00
|
|
|
- Content spoofing and text injection issues without showing an attack
|
|
|
|
vector/without being able to modify HTML/CSS.
|
2022-07-12 14:32:27 +00:00
|
|
|
- Email spoofing
|
|
|
|
- Missing DNSSEC, CAA, CSP headers
|
|
|
|
- Lack of Secure or HTTP only flag on non-sensitive cookies
|
|
|
|
- Deadlinks
|
2022-06-28 15:24:11 +00:00
|
|
|
|
2023-06-28 17:06:00 +00:00
|
|
|
## Please do the following
|
2022-06-28 15:24:11 +00:00
|
|
|
|
2022-07-12 14:32:27 +00:00
|
|
|
- E-mail your findings to [security@cal.com](mailto:security@cal.com).
|
2023-06-28 17:06:00 +00:00
|
|
|
- Do not run automated scanners on our infrastructure or dashboard. If you wish
|
|
|
|
to do this, contact us and we will set up a sandbox for you.
|
|
|
|
- Do not take advantage of the vulnerability or problem you have discovered,
|
|
|
|
for example by downloading more data than necessary to demonstrate the
|
|
|
|
vulnerability or deleting or modifying other people's data,
|
2022-07-12 14:32:27 +00:00
|
|
|
- Do not reveal the problem to others until it has been resolved,
|
2023-06-28 17:06:00 +00:00
|
|
|
- Do not use attacks on physical security, social engineering, distributed
|
|
|
|
denial of service, spam or applications of third parties,
|
|
|
|
- Do provide sufficient information to reproduce the problem, so we will be
|
|
|
|
able to resolve it as quickly as possible. Usually, the IP address or the URL
|
|
|
|
of the affected system and a description of the vulnerability will be
|
|
|
|
sufficient, but complex vulnerabilities may require further explanation.
|
|
|
|
|
|
|
|
## What we promise
|
|
|
|
|
|
|
|
- We will respond to your report within 3 business days with our evaluation of
|
|
|
|
the report and an expected resolution date,
|
|
|
|
- If you have followed the instructions above, we will not take any legal
|
|
|
|
action against you in regard to the report,
|
|
|
|
- We will handle your report with strict confidentiality, and not pass on your
|
|
|
|
personal details to third parties without your permission,
|
2022-07-12 14:32:27 +00:00
|
|
|
- We will keep you informed of the progress towards resolving the problem,
|
2023-06-28 17:06:00 +00:00
|
|
|
- In the public information concerning the problem reported, we will give your
|
|
|
|
name as the discoverer of the problem (unless you desire otherwise), and
|
|
|
|
- We strive to resolve all problems as quickly as possible, and we would like
|
|
|
|
to play an active role in the ultimate publication on the problem after it
|
|
|
|
is resolved.
|