Skip to main content
At Corgea, we take the security of our products and services seriously. We appreciate the security research community’s efforts in helping us maintain the highest security standards. This Vulnerability Disclosure Policy outlines how security researchers can responsibly disclose security vulnerabilities to us.

Our Commitment

We are committed to:
  • Working with security researchers to understand and resolve security vulnerabilities quickly and responsibly
  • Acknowledging your contribution to improving our security
  • Keeping you informed about the progress of resolving reported vulnerabilities
  • Treating security researchers fairly and with respect

Scope

This policy applies to vulnerabilities discovered in any of Corgea’s products, services, and infrastructure, including but not limited to:

In Scope

  • Web Application: corgea.app and all related subdomains
  • API: All Corgea API endpoints and services
  • Command Line Interface (CLI): Corgea CLI tool
  • IDE Extensions:
    • Visual Studio Code extension
    • Visual Studio 2022 extension
  • Integrations: GitHub, GitLab, Azure DevOps, Bitbucket, Jira, Slack, and other official integrations
  • Infrastructure: Servers, databases, and systems directly controlled by Corgea

Out of Scope

The following are explicitly excluded from this policy:
  • Third-party dependencies: Vulnerabilities in third-party libraries, frameworks, or services (please report these directly to the respective maintainers)
  • Physical security: Physical access to Corgea offices or infrastructure
  • Social engineering: Phishing, vishing, or other social engineering attacks against Corgea employees or users
  • Denial of Service (DoS): DoS or DDoS attacks
  • Spam: Email or comment spam
  • Issues already known: Vulnerabilities that have already been reported or are publicly known
If you’re unsure whether a vulnerability is in scope, please contact us at [email protected] before testing.

Guidelines for Security Research

When conducting security research on Corgea products and services, we ask that you:

Do

  • ✅ Comply with all applicable laws and regulations
  • ✅ Only test against accounts you own or have explicit permission to test
  • ✅ Respect user privacy - do not access, modify, or delete user data
  • ✅ Use test accounts and test data whenever possible
  • ✅ Report vulnerabilities as soon as possible after discovery
  • ✅ Provide detailed information to help us reproduce and fix the issue
  • ✅ Give us reasonable time to fix vulnerabilities before any public disclosure
  • ✅ Keep vulnerability details confidential until we’ve resolved the issue

Don’t

  • ❌ Access, modify, or delete data belonging to other users
  • ❌ Execute attacks that could harm the availability of our services (DoS/DDoS)
  • ❌ Conduct attacks on our physical facilities or social engineering attacks
  • ❌ Use automated scanners in a way that negatively impacts our services
  • ❌ Publicly disclose vulnerability details before we’ve had a chance to fix them
  • ❌ Demand compensation or threaten to publish vulnerabilities
  • ❌ Violate any laws or breach any agreements in your research

How to Report a Vulnerability

If you believe you’ve discovered a security vulnerability in any Corgea product or service, please report it to us by emailing: [email protected]

What to Include in Your Report

To help us understand and address the issue quickly, please include:
  1. Description: A clear description of the vulnerability
  2. Impact: The potential impact and severity of the vulnerability
  3. Steps to Reproduce: Detailed steps to reproduce the vulnerability
  4. Proof of Concept: Code, screenshots, or videos demonstrating the vulnerability (if applicable)
  5. Affected Components: Which products, services, or endpoints are affected
  6. Your Information: Your name or handle (if you’d like recognition) and contact information

Encrypted Communication

For highly sensitive vulnerability reports, we encourage you to encrypt your communication. Please contact us at [email protected] to request our PGP public key.

Our Response Process

When you report a vulnerability, here’s what you can expect from us:

1. Acknowledgment

  • We will acknowledge receipt of your vulnerability report within 72 hours (3 business days)
  • You’ll receive a confirmation email with a tracking reference

2. Assessment

  • Our security team will assess the vulnerability to determine its validity and severity
  • We may reach out for additional information or clarification

3. Status Updates

  • We will keep you informed about the progress of addressing the vulnerability
  • You can expect regular updates on the status of your report

4. Resolution

  • We will work diligently to resolve confirmed vulnerabilities based on their severity
  • Critical vulnerabilities: 30 days
  • High severity: 60 days
  • Medium severity: 90 days
  • Low severity: 120 days
These are target timelines and may vary depending on the complexity of the fix.

5. Recognition

  • Once the vulnerability is resolved, we will publicly acknowledge your contribution (if you wish)
  • Researchers who submit valid vulnerabilities may receive Corgea swag as a token of our appreciation

Responsible Disclosure

We believe in coordinated disclosure of security vulnerabilities. We ask that you:
  • Do not disclose the vulnerability publicly until we have had a reasonable opportunity to investigate and address it
  • Notify us immediately if you become aware that vulnerability details have been disclosed to others
  • Work with us on a reasonable timeline for public disclosure
We commit to working with you on a disclosure timeline that gives us adequate time to fix the issue while respecting the security community’s interest in timely disclosure.

Safe Harbor

Corgea is committed to protecting security researchers who act in good faith. We will not pursue legal action against researchers who:
  • Follow the guidelines outlined in this policy
  • Act in good faith and make a reasonable effort to avoid privacy violations, destruction of data, and interruption or degradation of our services
  • Do not exploit a security vulnerability beyond what is necessary to demonstrate the issue
  • Report vulnerabilities promptly and work with us to resolve them
We consider security research conducted under this policy to be:
  • Authorized under the Computer Fraud and Abuse Act (CFAA) and similar laws
  • Exempt from restrictions under the Digital Millennium Copyright Act (DMCA)
  • Protected from legal action by Corgea
If you follow this policy in good faith, we will not bring any legal action against you, and we will work with third parties to ensure they take a similar approach.

Recognition and Hall of Fame

We value the contributions of security researchers who help us improve our security posture. Researchers who report valid vulnerabilities may be recognized in the following ways:
  • Public acknowledgment on our Security Hall of Fame (with your permission)
  • Corgea swag including t-shirts, stickers, and other merchandise
  • Private thank you if you prefer to remain anonymous
To be recognized, you must:
  • Report a valid, in-scope vulnerability
  • Follow the guidelines in this policy
  • Allow us to verify and fix the vulnerability before public disclosure

Questions or Concerns

If you have any questions about this Vulnerability Disclosure Policy or need clarification on what is in scope, please contact us at: [email protected] We’re here to help and appreciate your efforts in keeping Corgea secure.

Policy Updates

This policy may be updated from time to time. The latest version will always be available on this page. We encourage you to review this policy periodically.
Last Updated: January 2025 Thank you for helping us keep Corgea and our users secure! 🛡️