Responsible Disclosure Policy

Please email to report any security vulnerabilities. We will acknowledge receipt of your vulnerability report the next business day and strive to send you regular updates about our progress. If you're curious about the status of your disclosure please feel free to email us again. Please refrain from requesting compensation for reporting vulnerabilities.

Confidential issues

When a vulnerability is suspected or discovered we create a confidential issue to track it internally. Security patches are pushed to as soon as a fix is available.

Red Team Rules of Engagement

If you want to conduct red teaming against Ten Thousand Coffees you will need written permission upfront. You can apply by emailing your plans and experience. You need to get a written authorization letter from our Chief Technology Officer. While you are engaged in red teaming activities you should coordinate with the Ten Thousand Coffees Engineering Team so escalation (law enforcement, etc.) can be avoided.

Disclosure Guidelines for Vulnerabilities in 3rd Party Software

When a security vulnerability in some 3rd party product is discovered by Ten Thousand Coffees team members the following disclosure guideline should apply:

  • The first priority should be getting the vulnerability fixed
  • We will keep vulnerability details confidential until the issue is fixed.
  • If possible we will verify the fix before it is being published
  • In special cases we might release details without a fix to make the public aware, this might for instance be the case when a vulnerability is being actively exploited
  • We aim for a fix within a 90 days deadline
  • We will treat this as a soft deadline and help to meet the deadline when reporting