If you discover a security vulnerability, please report it privately:
- GitHub Security Advisories (preferred): Report a vulnerability
- Email: security@getinboxzero.com
Please do not open a public GitHub issue for security vulnerabilities.
- A description of the vulnerability
- Steps to reproduce
- Potential impact
- Any suggested remediation (optional)
- Acknowledgement of your report within 3 business days
- Initial assessment within 7 days
- Coordinated disclosure timeline based on severity
This policy covers the Inbox Zero application at getinboxzero.com and code in this repository.
We're grateful to researchers who help keep Inbox Zero and our users safe. With your permission, we're happy to credit you in our acknowledgments after the issue is resolved.