At Echo we are committed to protecting the privacy and security of users of our software tools. Our Vulnerability Disclosure Program is intended to minimize the impact of any security flaws have on our tools or their users.
Vulnerability Disclosure Program applies to security vulnerabilities discovered in any of the publicly accessible tools created by Echo — macOS desktop application, web properties, iOS application.
In order to qualify, the vulnerability must exist in the latest public release (including officially released public betas) of the software. Only security vulnerabilities will qualify. Other bugs will be accepted at our discretion.
Please adhere to the following guidelines when researching or testing:
Public disclosure of security information enables informed consumer choice and inspires vendors to be truthful about flaws, repair vulnerabilities, and build a more secure product. However, vulnerability information can give attackers who were not otherwise sophisticated enough to find the problem on their own the very information they need to exploit a flaw and cause damage.
While we aim to resolve any security issues within hours, please allow Echo at least 90 days to fix the vulnerability before publicly discussing or blogging about it. Echo believes that security researchers have a First Amendment right to report their research and that disclosure is highly beneficial, and understands that it is a highly subjective question of when and how to hold back details to mitigate the risk that vulnerability information will be misused. If you believe that earlier disclosure is necessary, please let us know so that we can begin a conversation.
Not all reported issues may qualify for a reward. Rewards are awarded at Echo's sole discretion. In our determination of reward eligibility and amount we follow industry's best practices.
If you have any questions about our Vulnerability Disclosure Program, please contact us at hello@eo.chat.