How do I report a security issue?

We take security very seriously and want to know about any security vulnerabilities you find in Assembled. This article explains how to report security issues, what to include in your report, and how we respond when someone reports a vulnerability.

In this article:

• How do I report a security vulnerability?
• What should I include in my security report?
• What happens after I report a security issue?
• What types of issues won’t be investigated?
• Will I get a reward for reporting security issues?

How do I report a security vulnerability?

To report a vulnerability, please email us at security@assembled.com with details. We’ll respond as quickly as possible and keep you updated as we investigate.

Please don't share the vulnerability publicly until we've had a chance to fix it. This helps protect all our customers while we work on a solution.

What should I include in my security report?

In your email, please provide as much info as possible to help us reproduce and investigate the issue. We would be grateful for the following details:

• Clear description: Explain what the vulnerability is and how it works.
• Steps to reproduce: List the steps someone would take to exploit it.
• Impact: Describe what someone could do once they had exploited it.
• Screenshots or recordings: Include visual evidence if it helps explain the issue.

What happens after I report a security issue?

Here's what you can expect:

1. We'll confirm we received your report.
2. If we determine the issue should be investigated, our security team will address it and keep you informed about our progress.
3. We'll let you know when the issue has been fixed.
4. After we've fixed the issue, you're welcome to discuss it publicly.

We ask that you give us reasonable time to respond — and avoid compromising other users' accounts during your research.

What kinds of issues won’t be investigated?

We don't investigate reports that:

• Don’t have a demonstrable security impact, such as CSV injection that doesn’t affect our systems.
• Are low-impact and don’t affect our users’ security, such as missing best practices or disclosure of non-sensitive information.
• Require physical access to our employee devices, offices, or other property.
• Only affect browsers that are 6+ months out of date.

If you don’t know if your report qualifies, please feel free to submit it anyway. We’d rather have the opportunity to review.

Will I get a reward for reporting a security issue?

We don't currently have a formal bug bounty program, but we know that security research takes time and effort. We may offer rewards for verified security issues at our discretion.

We will only consider rewards for issues disclosed to us privately, and where the testing and research doesn’t disrupt our service or compromise other users.

Please note that we don’t reward phishing, spam, physical security breaches, denial of service, or other attack vectors that negatively affect our team or customers.