Security Policy

1. Safe Harbor

StroomChat is committed to working with the security community. We will not pursue legal action against security researchers who act in good faith and follow this responsible disclosure policy, provided that:

• You report the vulnerability to us before disclosing it publicly.
• You do not access, modify, or delete other users' data without explicit permission.
• You do not cause service disruption or system performance degradation.
• You do not exploit the vulnerability beyond what is necessary to demonstrate its existence.

2. Scope

Our disclosure program covers:

• Web Application: stroomchat.com and all related subdomains.
• API: API endpoints serving the web and mobile applications.
• Mobile App: StroomChat app on iOS and Android.

3. How to Report

• Email: Send reports to security@stroomchat.com.
• Encryption: Use our PGP key at stroomchat.com/pgp-key.txt for sensitive reports.
• Report Details: Include vulnerability description, reproduction steps, potential impact, and your contact information.

4. Response Timeline

• Acknowledgment: We will confirm receipt within 48 hours.
• Investigation: We will provide a status update within 5 business days.
• Resolution: We target fixes within 30-90 days depending on severity.
• Recognition: With your permission, we will list you in our Hall of Fame.

5. Out of Scope

• Denial of Service (DoS/DDoS) attacks.
• Social engineering or phishing attacks.
• Vulnerabilities in third-party platforms not managed by StroomChat.
• Reports from automated scanning tools without manual validation.
• Previously known or already reported vulnerabilities.