Security Policy

How we handle security vulnerabilities and keep your data safe

Responsible Disclosure

We take the security of our systems seriously, and we value the security community. The discovery of vulnerabilities by security researchers is helpful to improve the security of our services.

Reporting Security Issues

If you believe you have discovered a security vulnerability, we encourage you to report it to us responsibly. Here's how:

Contact Information

What to Include in Your Report

  • A brief description of the vulnerability
  • Steps to reproduce the issue
  • The potential impact of the vulnerability
  • Any suggested remediation steps (if applicable)

Our Commitment

When you responsibly disclose a vulnerability to us, we commit to:

  • Respond to your report within 48 hours
  • Provide regular updates on the status of the vulnerability
  • Acknowledge your contribution (if desired) once the vulnerability is resolved
  • Keep you informed of the timeline for patching

Out of Scope

The following are not considered valid security vulnerabilities:

  • Social engineering attacks
  • Denial of Service (DoS) attacks
  • Physical security issues
  • Issues that require physical access to devices
  • URL redirects or open redirects (unless used for phishing)
  • Self-XSS (cross-site scripting against yourself)

Security Best Practices

At Cushty, we implement multiple layers of security:

  • Encryption: All data is encrypted in transit (TLS 1.2+) and at rest
  • Access Controls: Role-based access control ensures users only access what they need
  • Monitoring: Continuous monitoring of our systems for suspicious activity
  • Backups: Daily encrypted backups stored in secure, geographically distributed locations
  • Updates: Regular security updates and patches applied to all systems
  • UK Hosting: All data hosted in UK-based secure data centres

Recognition

We believe in giving credit where it's due. With your permission, we'll acknowledge responsible disclosures on our security acknowledgments page.

Legal Notes

By reporting a vulnerability, you understand that:

  • You will not publicly disclose the vulnerability until we have addressed it
  • You give us a reasonable amount of time to address the issue before public disclosure
  • You act in good faith and do not access data beyond what is necessary to demonstrate the vulnerability
  • You comply with all applicable laws and regulations

Thank you for helping us keep Cushty secure for all our users.

Report a Security Issue