TERMS OF SERVICEReSPONSIBLE DISCLOSURE POLICYREFUND POLICYPRIVACY POLICYPRIVACY POLICY FOR SERVICES POWERED BY ZERO HASHAffiliate DisclosuresInheritance Terms of service

Responsible Disclosure Policy

Please email security@team.casa to report any security vulnerabilities. We will acknowledge receipt of your vulnerability report as soon as possible and strive to send you regular updates about our progress. If you’re curious about the status of your disclosure, please feel free to email us again. If you want to encrypt your disclosure email, you may download our key from the OpenPGP key server, find it below, or email us to have it sent to you.

Once a vulnerability is fully investigated and its content addressed, we will work with you to disclose the vulnerability in a way that acknowledges your work and protects our customers.

How to Report a Vulnerability

To ensure we can quickly evaluate and respond to your vulnerability report as quickly as possible, please ensure it includes the following information:

  • Impacted product, with version, build, and OS information if relevant
  • Type of vulnerability
  • Steps to reproduce
  • Evidence supporting the report, e.g. screenshots, console output, etc.

Safe Harbor Terms

To encourage research and responsible disclosure of security vulnerabilities, we will not pursue civil or criminal action, or send notice to law enforcement for accidental or good faith violations of the Casa Terms of Service (“the policy”). We consider security research and vulnerability disclosure activities conducted consistent with this policy to be “authorized” conduct under the Computer Fraud and Abuse Act, the DMCA, and other applicable computer use laws.

Please understand that if your security research involves the networks, systems, information, applications, products, or services of a third party (which is not us), we cannot bind that third party, and they may pursue legal action or law enforcement notice. We cannot and do not authorize security research in the name of other entities, and cannot in any way offer to defend, indemnify, or otherwise protect you from any third party action based on your actions.

You are expected, as always, to comply with all laws applicable to you, and not to disrupt or compromise any data belonging to other users.

Please contact us before engaging in conduct that may be inconsistent with or unaddressed by this policy. We reserve the sole right to make the determination of whether a violation of this policy is accidental or in good faith, and proactive contact to us before engaging in any action is a significant factor in that decision. If in doubt, ask us first!

Public GPG Key

  • Casa Security <security@team.casa>
  • ID: 7071F4AFA8864FFC
  • Fingerprint DA13 DC14 8749 6457 C8C3  D66C E648 DD9D 1D0F 9818

-----BEGIN PGP PUBLIC KEY BLOCK-----

mDMEZ9MxBhYJKwYBBAHaRw8BAQdAQF4l4pMayQWHGDWtkHAJXz63peNsi7CCGrkt
uusbsBK0IkNhc2EgU2VjdXJpdHkgPHNlY3VyaXR5QHRlYW0uY2FzYT6IlgQTFgoA
PgIbAwULCQgHAwUVCgkICwUWAgMBAAIeBQIXgBYhBNoT3BSHSWRXyMPWbOZI3Z0d
D5gYBQJn0zG2BQkJZgIwAAoJEOZI3Z0dD5gYne8A/27Zm5cEIQxIUB2l8nraErJF
gC9v16SvfHzEpocVr4iaAQCPp8x1eA7Jrz0M6wrv9cU7c1bbR5UQfNIPyh93tsWc
Bbg4BGfTMQYSCisGAQQBl1UBBQEBB0C/3+Fk6iSu5C4eFQ9CYB4b36FuTgmYab36
yvYtPbg5JgMBCAeIfgQYFgoAJgIbDBYhBNoT3BSHSWRXyMPWbOZI3Z0dD5gYBQJn
0zHJBQkJZgJDAAoJEOZI3Z0dD5gY9rYBAN6kyGBz9jGIGB7LLIBfjD17bvU1w4uo
bwt6GT3lBl8zAQDwfpQnWgls2nIDIJOqXLuumxxK+NMhBS5EODUasaMoAA==
=Z25T
-----END PGP PUBLIC KEY BLOCK-----