Security Disclosure Policy

Last updated: November 7th, 2020

We greatly appreciate investigative work into security vulnerabilities carried out by well-intentioned, ethical, security researchers. We follow the practice of responsible disclosure in order to best protect our user base from the impact of security issues. On our side, this means:

If you have found a security vulnerability in t2bot.io, we ask thay you disclose it reponsibly by messaging @travis:t2l.io on Matrix. Please do not discuss potential vulnerabilities in public on near-public without first validating with us.

On receipt, we will:

Please note that although t2bot.io is built off Matrix, we cannot reasonably take the lead on resolving incidents relating to the protocol. If an issue is determined to be an issue with the Matrix protocol, we will report it upstream to the Matrix team per their security disclosure policy. We will respond to the original reporter to indicate that their report has been proxied to the Matrix team, and, if desired, disclose the reporter to the Matrix team for appropriate credit. Similar programs apply for software t2bot.io depends on, such as bridges and bots not authored by us directly.

We do not currently provide a bug bounty program. We do, however, maintain a Hall of Fame to recognize those who have responsibly disclosed security issues to us in the past.

Hall of Fame

If you think we missed you, sorry - please let us know by messaging @travis:t2l.io on Matrix.