Vulnerability Disclosure Policy

Updated: August 16, 2021

SpatialChat Ltd. a company with its principal place of business at 224 Arch. Makariou III Avenue, Achilleos Building, office 51, 3030 Limassol, Cyprus (“SpatialChat”, “we”, “us” and/or “our”) finds it important to maintain the security, privacy, and integrity of our services so that our customers could use them safely and in a secure manner at all times. Therefore, we value the efforts of researchers to improve our security and/or privacy posture. We are dedicated to providing a secure and transparent environment in which vulnerabilities can be reported.

If you believe you have discovered a security or privacy vulnerability that could affect SpatialChat or our users, we would appreciate your assistance in responsibly revealing this information to us. During your investigation, we ask that you follow SpatialChat’s Vulnerability Disclosure Policy as well as making a good faith effort to avoid privacy violations, destruction of data, and service interruption or deterioration.

Our commitment

We respectfully request that you do not share or publicly announce an unresolved vulnerability with third parties. If you responsibly submit a vulnerability report, we will use reasonable efforts to respond in a timely manner, acknowledging receipt of your vulnerability report, and conducting an investigation into the disclosed issue. We may send an automatic reply as acknowledgement and if you provided us with contact information, we may contact you when we need additional information to assist in the investigation. For the sake of our customers’ security, we generally do not disclose, discuss, or confirm security issues.

Scope

Services that SpatialChat provides are in scope.

The following conditions are out of scope for the Vulnerability Disclosure Program. Any of the activities below will result in disqualifications from the program permanently.

  • Non SpatialChat sites behind our infrastructure;
  • Any vulnerability obtained through the compromise of a SpatialChat customer or employee accounts;
  • Missing best practices, configuration or policy suggestions;
  • Any Denial of Service (DoS) attack against SpatialChat and our products;
  • Physical attacks against SpatialChat employees, offices, and data centers;
  • Social engineering of SpatialChat employees, contractors, vendors, or service providers;
  • Knowingly posting, transmitting, uploading, linking to, or sending any malware;
  • Pursuing vulnerabilities which send unsolicited bulk messages (spam) or unauthorized messages.

Eligibility and Disclosure

Eligibility

  • You must accept our Vulnerability Disclosure Policy;
  • You must be the first person to responsibly disclose unknown issues.

SpatialChat shall not launch legal action against researchers as long as they adhere and follow our Vulnerability Disclosure Policy. To protect our customers, SpatialChat requires you to refrain from posting or sharing any information about a potential vulnerability in any public environment until we have investigated, responded to, and resolved the reported vulnerability and notified customers if necessary.

SpatialChat’s website and services, as stated in our Privacy Policy, are not intended for, or designed to attract, individuals under the age of 18. We cannot and do not accept submission from children under the age of 13 due to the Children’s Online Privacy Protection Act (COPPA).

This program is not open to anyone on any European Commission sanctions lists or who lives in any country under European Commission sanctions.

Reporting a potential security vulnerability

The SpatialChat Vulnerability Disclosure Policy is intended for reports of vulnerabilities related to the security of SpatialChat services provided over the internet. Send an email to security@spatial.chat to privately share details of the suspected vulnerability with us.

Please make sure that your email contains all the details of the suspected vulnerability so that we could verify and and reproduce the issue, including the following:

  • A detailed description of the vulnerability;
  • The full URL;
  • A Proof of Concept (POC) or instructions (e.g., screen shots, video, etc.) on how to reproduce the vulnerability or steps taken;
  • Entry fields, filters, or other objects involved;
  • Risk or exportability assessment.

It is encouraged, but not required, to offer a solution. Failure to provide a detailed explanation of the vulnerability may cause delays in our response and subsequent potential action on the finding.

What security@spatial.chat is not used for?

  • Reporting complaints about SpatialChat services;
  • Questions and complaints about the availability of SpatialChat’s services;
  • Reporting fraud or presumption of fraud;
  • Reporting fake emails, spam or phishing emails;
  • Reporting malware.

Rules

When researching our systems, always act in good faith. You must use discovered vulnerabilities only for your own investigation. Keep the discovered vulnerability confidential until you have agreed upon when and how to disclose the vulnerability with SpatialChat.

We do not allow you to do security research on our systems that would materially adversely impact the performance or availability.

Please be advised, that currently, we do not offer any form of bounty for any findings. We are not planning on implementing a bounty system anytime soon.