tinode-chat/SECURITY.md

# Security Policy

## Reporting a Vulnerability

Please report a vulnerability to `security@tinode.co`.

## What not to report

 * Firebase initialization tokens. The Firebase tokens are really public: they must be included into client applications and consequently are not private by design.
 * Exposed `/pprof` or `/expvar`. We know they are exposed. It's intentional and harmless.
 * Exposed Prometheus metrics `/metrics`. Like above, it's intentional and harmless.
Create SECURITY.md 2021-12-09 00:00:34 +03:00			`# Security Policy`

			`## Reporting a Vulnerability`

clarify what not to report as security problems 2024-12-21 10:35:44 +03:00			Please report a vulnerability to `security@tinode.co`.

			`## What not to report`

			`* Firebase initialization tokens. The Firebase tokens are really public: they must be included into client applications and consequently are not private by design.`
			* Exposed `/pprof` or `/expvar`. We know they are exposed. It's intentional and harmless.
			* Exposed Prometheus metrics `/metrics`. Like above, it's intentional and harmless.
Create SECURITY.md 2021-12-09 00:00:34 +03:00