Security

Vulnerability Disclosure Policy

Our commitment

Collabute takes the security of our platform and our users seriously. We value the work of security researchers and the broader community in helping us keep Collabute safe. This policy explains how to report a vulnerability to us, what is in scope, and what you can expect from us in return.

We welcome good-faith security research and will not take legal action against researchers who follow this policy.

How to report a vulnerability

If you believe you have found a security vulnerability in Collabute, please email us at security@collabute.com with the details. A copy of this policy and our machine-readable contact details are also published at /.well-known/security.txt.

To help us triage and resolve the issue quickly, please include:

  • The affected domain, URL, endpoint, or component
  • A clear description of the vulnerability and its potential impact
  • Step-by-step instructions to reproduce the issue
  • Any proof-of-concept code, screenshots, or logs
  • How you would like to be credited, and your contact details (optional)

Please report only one vulnerability per email unless you need to chain several to demonstrate impact.

Scope

The following are in scope for this policy:

  • collabute.com, collabute.ai, and their subdomains
  • app.collabute.com and app.collabute.ai (the web application)
  • api.collabute.ai (the API gateway)
  • The Collabute desktop application

The following are out of scope. Reports limited to these will generally not be accepted:

  • Denial-of-service, volumetric, or load/stress-testing attacks
  • Social engineering, phishing, or physical attacks against Collabute staff, users, or infrastructure
  • Automated scanner output without a demonstrated, exploitable impact
  • Missing security headers, cookie flags, or other best-practice findings with no concrete, demonstrated vulnerability
  • Reports affecting third-party services or vendors that Collabute does not control
  • Vulnerabilities requiring a compromised device, rooted/jailbroken device, or outdated browser

Safe harbor

We consider security research and vulnerability disclosure conducted in line with this policy to be authorized. We will not pursue or support legal action against you for accidental, good-faith violations of this policy. If legal action is initiated by a third party against you for activities that complied with this policy, we will make it known that your actions were authorized.

This safe harbor applies only where you:

  • Make a good-faith effort to avoid privacy violations, data destruction, and interruption or degradation of our services
  • Only access, store, or disclose the minimum amount of data necessary to demonstrate the issue
  • Do not access, modify, or delete data belonging to other users
  • Give us a reasonable amount of time to remediate before disclosing the issue publicly

What you can expect from us

When you report a vulnerability in good faith under this policy, we will:

  • Acknowledge receipt of your report within five business days
  • Provide an assessment of the report and an expected timeline for remediation
  • Keep you informed of our progress and notify you when the issue is resolved
  • Recognize your contribution, with your permission, once the issue is fixed

Collabute does not currently offer monetary rewards (a paid bounty) for vulnerability reports, but we are grateful for and will publicly acknowledge responsible disclosures.

Coordinated disclosure

We are committed to fixing valid issues promptly. We ask that you give us a reasonable period — at least 90 days — to remediate a reported vulnerability before disclosing it publicly, and that you coordinate any public disclosure with us so that we can protect our users.


If you have any questions about this policy, contact us at security@collabute.com.