Introduction

Security is core to Narrative BI values, and we value the input of external security researchers acting in good faith to help us maintain a high standard for the security privacy of our users and systems. This policy sets out our definition of good faith in the context of finding and reporting security vulnerabilities, as well as what you can expect from us in return for your effort, skill, and dedication.

Guidelines

We require that all security researchers to:

• Send report to our public address: [email protected];
• Act in good faith to avoid privacy violations, degradation of our services, disruption to production systems, and destruction of data during security testing (including denial of service);
• Perform research only within the scope set out below;
• Be clear and succinct, a short proof-of-concept link is invaluable;
• Only interact with your own accounts or test accounts for security research purposes. Do not access or modify our data or our users' data, without the explicit permission of the owner; and
• Keep information about any vulnerabilities you’ve discovered confidential between us until we’ve had 90 days to resolve the issue.

If you follow these guidelines when reporting an issue to us, we commit to:

• Not pursue or support any legal action related to your research;
• Work with you to understand and resolve the issue quickly;
• Recognize your contribution on our Leaderboard, if you are the first to report the issue and we make a code or configuration change based on the issue.

Expectations

When working with us according to this policy, you can expect us to:

• Work with you to understand and validate your report, including timely initial response to the submission;
• Work to remediate discovered vulnerabilities in a timely manner; and
• Recognize your contribution to improving our security if you are the first to report a unique vulnerability, and your report triggers a code or configuration change.

In-Scope Vulnerabilities