Skip to content

Security: reclaimprotocol/docs

Security

SECURITY.md

Security Policy

Contact: security@reclaimprotocol.org

At Reclaim Protocol, we prioritize the security of our systems. However, we acknowledge that vulnerabilities may still exist despite our best efforts. We appreciate your help in identifying and reporting these vulnerabilities so we can address them promptly.

Excluded Vulnerabilities

We do not consider the following to be in-scope vulnerabilities:

  • Clickjacking on non-sensitive pages
  • CSRF on authentication-related actions
  • Attacks requiring man-in-the-middle or physical device access
  • Denial of Service (DoS) attempts
  • Content spoofing or text injection without demonstrable risk
  • Email spoofing
  • Missing security headers (DNSSEC, CAA, CSP)
  • Non-secure flags on non-sensitive cookies
  • Broken links

Reporting Guidelines

When reporting a vulnerability, please:

  1. Email your findings to security@reclaimprotocol.org
  2. Avoid using automated scanners on our infrastructure or dashboard without prior permission
  3. Refrain from exploiting the vulnerability beyond what's necessary to demonstrate it
  4. Keep the issue confidential until it's resolved
  5. Do not attempt physical security breaches, social engineering, DDoS, spam, or attacks on third-party applications
  6. Provide sufficient details to reproduce the issue (typically, the affected IP/URL and a vulnerability description)

Our Commitment

In response to your report, we will:

  1. Acknowledge receipt within 3-5 business days, including our assessment and expected resolution timeline
  2. Not pursue legal action if you've adhered to these guidelines
  3. Maintain strict confidentiality and protect your personal information
  4. Keep you updated on our progress
  5. Publicly credit you as the discoverer (unless you prefer otherwise)
  6. Strive for swift resolution and collaborate with you on the final disclosure

We value your contribution to improving our security and look forward to working together to resolve any identified issues.

There aren’t any published security advisories