# OpenCharts Security Policy # https://securitytxt.org/ — RFC 9116 # # If you discover a vulnerability in OpenCharts, please tell us so we # can fix it. We treat the security of our customers and their data # as a top priority. This file is the machine-readable contract for # our Vulnerability Disclosure Program (VDP). Contact: mailto:security@opencharts.com Preferred-Languages: en, es Canonical: https://opencharts.com/.well-known/security.txt Expires: 2027-02-23T00:00:00.000Z Policy: https://opencharts.com/security Acknowledgments: https://opencharts.com/security#hall-of-fame Hiring: https://opencharts.com/careers # ────────────────────────────────────────────────────────────────── # Scope # ────────────────────────────────────────────────────────────────── # In scope: # - opencharts.com and all *.opencharts.com subdomains # - The OpenCharts MCP server at https://www.opencharts.com/api/mcp # - The Theo AI assistant surfaces (chat, voice, live, desk) # - First-party Chrome / browser extensions we publish # - First-party mobile apps published under "Open Charts Inc." # # Out of scope (please do not report unless you can demonstrate a # concrete user-impacting exploit): # - Clickjacking on pages with no sensitive actions # - Unauthenticated / logout / login CSRF # - Attacks requiring MITM or physical access to a user's device # - Attacks requiring social engineering of an OpenCharts employee # - Any activity that disrupts service for other customers (DoS) # - Content spoofing / text injection without a real attack vector # - Email spoofing of opencharts.com (we will tighten SPF/DMARC over time) # - Missing DNSSEC, CAA, or non-critical CSP headers # - Lack of Secure / HttpOnly flag on non-sensitive cookies # - Dead links, broken images, user enumeration on public surfaces # - Self-XSS or attacks requiring an outdated browser # - Best-practice findings from automated scanners with no PoC # - Issues in third-party services OpenCharts depends on — those are # out of scope here; please report them to the upstream vendor # # ────────────────────────────────────────────────────────────────── # Testing guidelines # ────────────────────────────────────────────────────────────────── # - Only test against your OWN OpenCharts projects, organizations, # API keys, and Theo conversations. Do not attempt to access data # belonging to other customers. # - Do not run automated scanners against shared infrastructure # (the MCP server, /api/ai/*, the marketing pages). Automated # scanning runs up costs and triggers our abuse-protection # systems, which makes it hard to distinguish your research from # a hostile actor. If you must run a scanner, email us first. # - Do not exfiltrate more data than necessary to prove an issue. # Stop at the minimum viable proof-of-concept. # - Do not modify or destroy data that does not belong to you. If # you accidentally do, tell us immediately. # - No social engineering, phishing, or physical attacks on # OpenCharts staff or facilities. # # ────────────────────────────────────────────────────────────────── # Reporting guidelines # ────────────────────────────────────────────────────────────────── # Send reports to security@opencharts.com with: # 1. A clear description of the vulnerability and its impact. # 2. Steps to reproduce (URLs, payloads, screenshots, video). # 3. The affected versions / environments if known. # 4. Your suggested remediation if you have one. # 5. A handle / name you want credited (or "anonymous"). # # PGP-encrypted reports are welcome — request a key at the same address. # # ────────────────────────────────────────────────────────────────── # What we promise (Safe Harbor) # ────────────────────────────────────────────────────────────────── # - Initial response within 5 business days of your report. # - Status updates as we triage, fix, and ship. # - Public acknowledgment on https://opencharts.com/security unless # you ask to stay anonymous. # - We will not pursue legal action against researchers who follow # the testing guidelines above and act in good faith. # - We will keep your report and personal details confidential and # will not share them with third parties without your permission, # except where required by law. # # ────────────────────────────────────────────────────────────────── # Disclosure policy # ────────────────────────────────────────────────────────────────── # - Please do not publicly disclose details of a vulnerability until # we have shipped a fix and notified affected customers. # - For public write-ups (blog posts, conference talks), share a # draft with us at least 30 days before publication. Please omit: # • Data belonging to OpenCharts customers # • Personally identifying information about OpenCharts # employees, contractors, or partners # • Specifics that would let another attacker re-exploit before # customers can patch # - We aim to resolve every confirmed issue as quickly as possible # and to give you co-author credit on the public write-up if you # want it. # # Thank you for helping keep OpenCharts and our users safe.