Security Policy
We take security reports seriously. If you’ve found a vulnerability in Family Chat, please tell us before telling anyone else.
How to report
Email [email protected] with:
- A clear description of the issue.
- The exact steps to reproduce it.
- The impact you believe it has.
- Anything else that would help us fix it quickly (logs, payloads, screenshots).
PGP is not required. If you’d like an encrypted channel, say so in the first email and we’ll arrange one.
A machine-readable version of this policy is published at https://safechat.family/.well-known/security.txt (RFC 9116).
We aim to acknowledge reports within 3 business days and to land a fix or have a credible mitigation in place within 90 days of acknowledgement. If a report needs longer, we’ll say so and explain why.
Please do not file public GitHub issues, post on social media, or otherwise disclose the vulnerability during the 90-day window. After a fix ships we’re happy for you to write it up.
Scope
In scope:
safechat.familyandpanel.safechat.family.- The control panel (this repository).
- Federation endpoints and tenant isolation between families: any way for one family to read, modify, or interfere with another.
- Billing integrity: any way to provision capacity without paying for it, or to be charged for capacity you didn’t request.
- Server isolation and deletion semantics: any way to read another family’s data, or for deleted data to leak to another family’s freshly-provisioned server.
Out of scope:
- Content of Matrix clients or servers you yourself deploy. That code is your responsibility.
- Volumetric denial of service against shared infrastructure.
- Social engineering of Family Chat staff or users.
- Findings against third-party services we depend on (Stripe, Migadu, Cloudflare, the upstream Matrix/Dendrite projects) — please report those to the relevant vendor.
- Missing best-practice HTTP headers with no demonstrated impact.
No bug bounty (yet)
We don’t run a paid bug bounty programme at this stage. We do publicly credit reporters who’d like to be named, below, once their report has been fixed and disclosed.
Hall of fame
Empty for now. Be the first.