CONNECT EMAIL AND HACKERONE WEBPAGE

Charting Show takes the security of our software products and services seriously, which includes all source code repositories managed through our GitHub organizations, which include all our other websites, products and services.

If you believe you have found a security vulnerability in any Charting Show owned repository that meets Charting Show's definition of a security vulnerability, please report it to us as described below.

Please do not report security vulnerabilities through public GitHub issues.

Charting Show is an advocate of responsible vulnerability disclosure. If you've found a vulnerability, we would like to know so we can fix it. This notice provides details for how you can let us know about vulnerabilities, or alternatively you can view our security.txt file which contains quick links to contact us.

You can report a vulnerability to Charting Show through our vulnerability disclosure programme at HackerOne. Alternatively, if you prefer to submit without logging in to HackerOne, send an email to secure@example.com. If possible, encrypt your message with our PGP key; please download it from the Charting Show PGP Key page.

You should receive a response within 48 hours. If for some reason you do not, please follow up via email to ensure we received your original message.

Please include the requested information listed below (as much as you can provide) to help us better understand the nature and scope of the possible issue.

When reporting a vulnerability to us, please include:

• The website, page or repository where the vulnerability can be observed.
• A brief description of the vulnerability.
• Details of the steps we need to take to reproduce the vulnerability.
• Non-destructive exploitation details.

If you are able to, please also include:

• The type of vulnerability, for example, the OWASP category.
• Screenshots or logs showing the exploitation of the vulnerability.

If you are not sure if the vulnerability is genuine and exploitable, or you have found:

• A non-exploitable vulnerability.
• Something you think could be improved - for example, missing security headers.
• TLS configuration weaknesses - for example weak cipher suite support or the presence of TLS1.0 support.

This information will help us triage your report more quickly.

When you are investigating and reporting the vulnerability on a Charting Show domain or subdomain, you must not:

• Break the law.
• Access unnecessary or excessive amounts of data.
• Modify data.
• Use high-intensity invasive or destructive scanning tools to find vulnerabilities.
• Try a denial of service - for example overwhelming a service on a Charting Show website with a high volume of requests.
• Disrupt Charting Show's services or systems.
• Tell other people about the vulnerability you have found until we have disclosed it.
• Social engineer, phish or physically attack our staff or infrastructure.
• Demand money to disclose a vulnerability.

Only submit reports about exploitable vulnerabilities through HackerOne.

We prefer all communications to be in English.

Charting Show follows the principle of Coordinated Vulnerability Disclosure (CVD).

Under the principle of Coordinated Vulnerability Disclosure, researchers disclose newly discovered vulnerabilities in hardware, software, and services directly to the vendors of the affected product; to a national CERT or other coordinator who will report to the vendor privately; or to a private service that will likewise report to the vendor privately. The researcher allows the vendor the opportunity to diagnose and offer fully tested updates, workarounds, or other corrective measures before any party discloses detailed vulnerability or exploit information to the public. The vendor continues to coordinate with the researcher throughout the vulnerability investigation and provides the researcher with updates on case progress. Upon release of an update, the vendor may recognize the finder for the research and privately reporting the issue. If attacks are underway in the wild, and the vendor is still working on the update, then both the researcher and vendor work together as closely as possible to provide early public vulnerability disclosure to protect customers. The aim is to provide timely and consistent guidance to customers to help them protect themselves.

For more information on CVD, please review the information provided in the following links:

• ISO/IEC 29147:2018 on Vulnerability Disclosure
• The CERT Guide to Coordinated Vulnerability Disclosure

Unfortunately, Charting Show doesn't offer a paid bug bounty programme. Charting Show will make efforts to show appreciation to people who take the time and effort to disclose vulnerabilities responsibly. We do have an acknowledgements page for legitimate issues found by researchers found on our thanks.txt page.

Charting Show have a contributors code of conduct, which you can find here: Code of Conduct

Charting Show uses the Forum of Incident Response and Security Teams (FIRST), Traffic Light Protocol (TLP) version 2.0.

According to FIRST, the color-coded TLP labels should be applied based on the audience that should have access to the shared sensitive information:

If you have suggestions on how this process could be improved please submit a pull request.