Errna Security: Responsible Disclosure Policy

Your expertise helps us protect our community. We are committed to working with security researchers to verify and address potential vulnerabilities in a collaborative and constructive manner.

Submit a Report

At Errna, the security of our systems, data, and client assets is a top priority. We believe that a strong partnership with the security research community is essential to achieving this goal. This policy outlines our approach to responsible disclosure, providing a clear framework for researchers to report potential vulnerabilities and our commitment to addressing them. We value the crucial role independent security researchers play and are dedicated to fostering a positive and respectful environment for this collaboration. Your efforts help us ensure our platforms remain secure and trustworthy for everyone.

Our Commitment to Security Researchers

We build trust through a clear, consistent, and collaborative process.

Collaborative Partnership

We view security research as a partnership. We commit to working with you to understand, validate, and remediate vulnerabilities.

Transparent Communication

We promise to maintain open and timely communication throughout the reporting and remediation process, keeping you informed of our progress.

Safe Harbor

We provide a safe harbor for research conducted under this policy, ensuring you can report findings without fear of legal action.

Researcher Recognition

We believe in giving credit where it's due. With your permission, we will publicly acknowledge your contributions to our security.

Focus on Solutions

Our primary goal is to fix vulnerabilities. We appreciate detailed reports that help us understand the issue and develop effective solutions quickly.

Protecting Privacy

We require that all research avoids compromising the privacy and data of our users, employees, and clients.

How to Report a Vulnerability

Follow our structured four-step process to ensure your findings are received, reviewed, and resolved efficiently.

1. Discovery & Submission

Once you've identified a potential vulnerability, please document it thoroughly. Submit your findings to our dedicated security email: security@errna.com. Include a detailed description, steps to reproduce, and any proof-of-concept code.

2. Triage & Validation

Our security team will acknowledge receipt of your report within 2 business days. We will then work to validate the vulnerability, assess its impact, and determine its severity. We may contact you for additional information during this phase.

3. Remediation

Upon validation, our engineering teams will prioritize and begin working on a fix. We will keep you updated on the remediation timeline and progress. We ask that you refrain from public disclosure until we have deployed a solution.

4. Disclosure & Recognition

After the vulnerability has been resolved, we will notify you. We will then work with you on a coordinated public disclosure if appropriate. With your consent, we will add your name to our Security Hall of Fame to recognize your valuable contribution.

Program Scope

This policy applies to the following systems and services. Any service not explicitly listed here is considered out of scope.

In Scope

All systems and services hosted on the `*.errna.com` domain.
Our primary corporate website and client-facing applications.
APIs and backend services directly supporting our main platform.
Official Errna mobile applications available on public app stores.

Out of Scope

Third-party services or vendors used by Errna.
Denial of Service (DoS or DDoS) attacks.
Social engineering or phishing attacks against our employees or customers.
Physical security of our offices and data centers.
Reports from automated scanners without manual validation.

Legal Safe Harbor

Our commitment to a safe and transparent process for security researchers.

Errna will not initiate legal action against individuals who report security vulnerabilities and adhere to this policy. We consider security research and vulnerability disclosure activities conducted under this policy to be "authorized" conduct under the Computer Fraud and Abuse Act.

We waive any restrictions in our Terms of Service and Acceptable Use Policy that would prohibit security research, but only for activities that are conducted in accordance with this policy. This safe harbor requires that your research does not compromise user data, disrupt our services, or involve privacy violations.

If a third party initiates legal action against you for research conducted in accordance with this policy, we will take steps to make it known that your actions were conducted in compliance with our policy. We are committed to protecting security researchers who act in good faith and help us improve our security posture.

Frequently Asked Questions

Answers to common questions about our security disclosure program.

Does Errna offer a bug bounty program?

Currently, we do not offer a formal, paid bug bounty program. However, we are committed to recognizing the valuable contributions of security researchers. For significant and well-documented vulnerabilities, we may offer discretionary rewards or swag as a token of our appreciation. Our primary method of recognition is through our public Hall of Fame.

What is the expected timeline for a response?

We aim to provide an initial acknowledgment of your report within 2 business days. The timeline for validation and remediation can vary significantly depending on the complexity and severity of the vulnerability. We commit to providing you with a status update at least every 10 business days throughout the process.

How should I format my vulnerability report?

A great report includes a clear and concise summary of the issue, detailed steps to reproduce the vulnerability, and the potential impact. Please include any relevant screenshots, logs, or proof-of-concept code. The more detail you provide, the faster we can validate and resolve the issue. Please submit one vulnerability per report.

What happens if I report something that is out of scope?

If you submit a report for a system or vulnerability type that is listed as out of scope, we will inform you that it does not fall under this policy. While we appreciate the effort, we cannot process, validate, or offer safe harbor for out-of-scope findings. We encourage you to focus your research on the assets and vulnerability types listed as in-scope.

Have a vulnerability to report?

Help us keep Errna secure. We appreciate your expertise and are ready to collaborate. Please send your detailed findings to our security team.

Email security@errna.com