Reporting Possible Security Concerns

Quick question, what's the preferred method for reporting security concerns? Is there an email address with a PGP key I can write to?
5 Replies
james
james4mo ago
hi @EnderTheNetrunner , our vulnerability disclosure info it briefly outlined at https://docs.convex.dev/production/contact but generally this involves emailing security@convex.dev
Contact Us | Convex Developer Hub
Convex is a rapidly developing platform and we're always eager to hear your
james
james4mo ago
with regards to general vulnerability reports we typically enact this policy: 1. Scope of Eligible Vulnerabilities: Our policy rewards discovery of specific security flaws that impact the confidentiality, integrity, or availability of user data or our services. This includes issues like SQL Injection, authentication bypass, and unauthorized data exposure. 2. Out of Scope Reports: We generally do not offer rewards for best practice recommendations, hypothetical issues that rely on third-party actions, or non-exploitable findings. 3. Reporting Process: We welcome detailed reports including steps to reproduce the issue, screenshots, and video recordings, if available. These details will help us assess the vulnerability more effectively. 4. Rewards: If your discovery falls within our policy’s scope, we do offer rewards. The amount is determined based on the severity, impact, and quality of the report. if you'd prefer not to email security@convex.dev directly let's DM and we can set up a PGP key or something. we don't typically use one for reports but can set this up if needed
EnderTheNetrunner
EnderTheNetrunnerOP4mo ago
Excellent, thank you, I'll verify if my issues are in scope and get back to you!
james
james4mo ago
we always appreciate feedback so the policy above is mostly just to discourage blanket "best practice" submissions (e.g., SPF records) that don't apply specifically to convex
EnderTheNetrunner
EnderTheNetrunnerOP4mo ago
Yeah I did have some feedback outside of vulnerabilities, how do you want me to deliver that? Wait nvm I just saw the feedback form, I'll see if I can submit something

Did you find this page helpful?