Reporting Possible Security Concerns
Quick question, what's the preferred method for reporting security concerns? Is there an email address with a PGP key I can write to?
5 Replies
hi @EnderTheNetrunner , our vulnerability disclosure info it briefly outlined at https://docs.convex.dev/production/contact but generally this involves emailing security@convex.dev
Contact Us | Convex Developer Hub
Convex is a rapidly developing platform and we're always eager to hear your
with regards to general vulnerability reports we typically enact this policy:
1. Scope of Eligible Vulnerabilities: Our policy rewards discovery of specific security flaws that impact the confidentiality, integrity, or availability of user data or our services. This includes issues like SQL Injection, authentication bypass, and unauthorized data exposure.
2. Out of Scope Reports: We generally do not offer rewards for best practice recommendations, hypothetical issues that rely on third-party actions, or non-exploitable findings.
3. Reporting Process: We welcome detailed reports including steps to reproduce the issue, screenshots, and video recordings, if available. These details will help us assess the vulnerability more effectively.
4. Rewards: If your discovery falls within our policy’s scope, we do offer rewards. The amount is determined based on the severity, impact, and quality of the report.
if you'd prefer not to email security@convex.dev directly let's DM and we can set up a PGP key or something. we don't typically use one for reports but can set this up if needed
Excellent, thank you, I'll verify if my issues are in scope and get back to you!
we always appreciate feedback so the policy above is mostly just to discourage blanket "best practice" submissions (e.g., SPF records) that don't apply specifically to convex
Yeah I did have some feedback outside of vulnerabilities, how do you want me to deliver that?
Wait nvm I just saw the feedback form, I'll see if I can submit something