Responsible Disclosure Policy

At Runa, we care deeply about security and appreciate the work done by independent researchers to help make and keep data secure. To this end, we encourage the responsible reporting of any security vulnerabilities discovered in our products or services, as set out in this Responsible Disclosure Policy (“Policy”). We expect independent researchers to communicate information about potential vulnerabilities responsibly — by complying with all applicable laws and avoiding any degradation of our customers’ or end-users’ experience, disruption to any systems, products, services, or infrastructure, and destruction of data. We also ask that independent researchers protect user privacy and security by refraining from publicly disclosing any vulnerabilities.

Scope

This Policy applies to the following domains and services:

• All Runa domains and sub-domains of our products.
• All Runa products developed by Runa.

Submitting Reports

To help ensure that we have enough information to properly evaluate a potential issue, please include the following information in your report:

• A description of the issue, explaining the vulnerability, including steps to reproduce it, and the potential impact on the user or service.
• The product feature, component, or service resource that is affected, including any relevant URLs.
• A proof-of-concept or a functional method that consistently demonstrates the issue, or logs that show the impact of successful exploitation.
• Describe any specific circumstances, configurations, or conditions required to exploit the issue.
• Use our dedicated security email to report such vulnerabilities: [email protected].
• We will acknowledge your email within five (5) business days

What to Expect

Once we receive your report, we will stay in touch with you to provide updates on our investigation. During this time, we may also request additional information.

Out of Scope

Please note that certain types of issues are considered out of scope for our vulnerability disclosure program.

Non-Qualifying Vulnerabilities include, but are not limited to, the following:

• Best practices or recommendations without specific security impact.
• Email spoofing, DNS or DMARC-related issues.
• Clickjacking on pages with no sensitive actions.
• Unauthenticated/logout CSRF.
• Vulnerabilities in third-party services not under Runa’s control. 
• Vulnerabilities that do not, by themselves, expose a service or application to attack. 
• Vulnerabilities that do not have a real, meaningful impact, as determined by Runa.

Restrictions

While we encourage you to responsibly find and report vulnerabilities, the following is expressly prohibited:

• Performing actions that may negatively impact Runa, its users, and/or end-users (e.g., spam, brute force, denial of service, etc.).
• Accessing, or attempting to access, save, copy, store, transfer, disclose, or otherwise retain data or information that does not belong to you.
• Destroying, modifying, or corrupting — or attempting to destroy or corrupt — data or information that does not belong to you.
• Conducting any kind of physical or electronic attack on Runa personnel, property, or data centers.
• Social engineering any Runa service desk, employee, or contractor.
• Conducting vulnerability testing of participating services using anything other than test accounts.
• Violating any laws or breaching any agreements in order to discover vulnerabilities.

Public disclosure of the details of any identified or alleged vulnerability without the express written authorization of Runa will render the report noncompliant with this Policy.

Runa reserves all legal rights in the event of non-compliance with this Policy. However, Runa commits not to pursue legal action against individuals who: 

• Comply with this Policy;
• Report vulnerabilities without malicious intent; and
• Avoid privacy violations, service disruptions, and data destruction.

Runa reserves the right to modify or discontinue this Policy at any time, at its sole discretion.