Socket
Socket
Sign inDemoInstall

Security

Security is a top priority for Socket. We believe that working with security researchers is crucial in making the internet safe for all.

Responsible Disclosure Policy

If you believe you've found a security issue in our product or service, we encourage you to notify us. We will work with you to resolve the issue promptly. Thanks in advance!

Bounty Schedule

This is approximately how much we expect to pay for reports. Understand that this is a guide – it's meant to help set expectations.

  • $0 — We're aware of this, or we don't see it as a security issue.
  • $50 — A minor security problem. It doesn't present much risk. It's likely not getting fixed in the next release.
  • $500 — Definitely a real problem that puts users at risk. We will ship a fix in a scheduled release.
  • $1000 — A really bad problem. We're probably going to ship a fix for this before our next scheduled release. We hope we don't have many of these problems – but if we do, we really want to hear about them.

Disclosure Policy

  • If you believe you've discovered a potential security issue, please let us know by emailing us at security@socket.dev. We will acknowledge your email within five business days. Please only use this address to report security flaws and not for general product support.

  • Provide us with a reasonable amount of time to resolve the issue before disclosing it to the public or a third party. We aim to resolve critical issues within ten business days of disclosure.

  • Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service. Only interact with accounts you own or with explicit permission of the account holder.

  • If you would like to send us an encrypted report, email us with a request for us to set up a PGP key. We will reply with the PGP long key ID and post it on this page.

  • We are generally happy to publicly disclose reports two weeks after shipping the release which contains the fix.

Scope

The following are explicitly in scope for this program:

  • socket.dev and all its subdomains (except CNAME subdomains such as feedback.socket.dev)
  • socketusercontent.com and all its subdomains

Exclusions

While researching, we'd like you to refrain from:

  • Denial of service
  • Spamming
  • Social engineering (including phishing) of Socket employees or contractors
  • Any physical attempts against Socket's physical property or data centers

Thank you for helping to keep our users safe!

Changes

We may revise these guidelines from time to time. The most current version of the guidelines will be available here.

Updated February 7, 2022.

SocketSocket SOC 2 Logo

Product

About

Packages

Stay in touch

Get open source security insights delivered straight into your inbox.

  • Terms
  • Privacy
  • Security

Made with ⚡️ by Socket Inc