Responsible Disclosure
If you’ve found a security vulnerability in Keel, we’d like to hear about it. This page describes how to report it, what to expect from us, and what we ask of you.
How to report
Email security@meetkeel.com with:
- A description of the vulnerability
- Steps to reproduce it
- The affected URL or component, if known
- Your assessment of the potential impact
Include as much detail as you can. The more we understand upfront, the faster we can act.
What’s in scope
- app.meetkeel.com (the Keel platform)
- meetkeel.com (the marketing site)
- security.meetkeel.com
- The Keel API
What’s out of scope
- Third-party services and infrastructure we rely on - report these directly to the provider (the Privacy Policy lists the current sub-processors)
- Social engineering, phishing, or physical attacks
- Denial-of-service attacks
- Vulnerabilities in software or infrastructure we don’t control
- Issues that require physical access to a device
What to expect from us
- We’ll acknowledge your report within 3 business days
- We’ll keep you updated on our progress toward a fix
- We’ll let you know when the issue is resolved
Timeframes for fixes depend on the severity and complexity of the issue. We’ll be upfront about what we can commit to.
What we ask of you
- Don’t access or modify other users’ data
- Don’t disrupt the service or degrade the experience for other users
- Don’t publicly disclose the vulnerability before we’ve had reasonable time to address it - we’ll work with you on timing
- Act in good faith
Safe harbour
If you follow this policy, we will not pursue legal action against you in connection with your research. We consider security research conducted in line with this policy to be authorised.
Bug bounty
We don’t operate a formal bug bounty programme or offer financial compensation for reports. We’re a small team and we’re being upfront about that.
Credit
If you’d like to be acknowledged for your report, let us know. We’re happy to credit you by name (or alias) once the issue is resolved, unless you’d prefer to remain anonymous.