Responsible Disclosure Policy

Please email [email protected] to report any security vulnerabilities. We will acknowledge receipt of your vulnerability report as soon as possible and strive to send you regular updates about our progress. If you’re curious about the status of your disclosure, please feel free to email us again. If you want to encrypt your disclosure email, you may download our key from the OpenPGP key server, find it below, or email us to have it sent to you.

Once a vulnerability is fully investigated and its content addressed, we will work with you to disclose the vulnerability in a way that acknowledges your work and protects our customers.

How to Report a Vulnerability

To ensure we can quickly evaluate and respond to your vulnerability report as quickly as possible, please ensure it includes the following information:

  • Impacted product, with version, build, and OS information if relevant
  • Type of vulnerability
  • Steps to reproduce
  • Evidence supporting the report, e.g. screenshots, console output, etc

Safe Harbor Terms

To encourage research and responsible disclosure of security vulnerabilities, we will not pursue civil or criminal action, or send notice to law enforcement for accidental or good faith violations of the Casa Terms of Service (“the policy”). We consider security research and vulnerability disclosure activities conducted consistent with this policy to be “authorized” conduct under the Computer Fraud and Abuse Act, the DMCA, and other applicable computer use laws.

Please understand that if your security research involves the networks, systems, information, applications, products, or services of a third party (which is not us), we cannot bind that third party, and they may pursue legal action or law enforcement notice. We cannot and do not authorize security research in the name of other entities, and cannot in any way offer to defend, indemnify, or otherwise protect you from any third party action based on your actions.

You are expected, as always, to comply with all laws applicable to you, and not to disrupt or compromise any data belonging to other users.

Please contact us before engaging in conduct that may be inconsistent with or unaddressed by this policy. We reserve the sole right to make the determination of whether a violation of this policy is accidental or in good faith, and proactive contact to us before engaging in any action is a significant factor in that decision. If in doubt, ask us first!

Public GPG Key

  • Casa Security <[email protected]>
  • ID: 822CEA50DFA9B997
  • Fingerprint B638 4E40 AE48 69EF 9785 7DBF 822C EA50 DFA9 B997

-----BEGIN PGP PUBLIC KEY BLOCK-----


mQINBFxPVbUBEAC59VUUH5ysSAgn+BuAHXzm7BXll5AM2fePsRdpwIxrHvFSrKlS
fd1aFxzG98oYTlpyCfhLs/pu6bZxcq9DBl1gwoiV+8Hfuh3y3rqNk9Jq9tWTHR4s
6FfdIL9EZz+nZ7yd2Jxfu6TS9nQ4liJtpww9MAEHQK+Ruo7FIfHpFIIQfyKEgBzl
TeUd5YQBb8SJfqZlYPUQw2FSqUFhZvzOsa1tU3yVPfcwiD22hB5aXqjSjt2dXmqd
fdMM8YJU3yubM41eNg4fKIhBsRROTvIGBve12Q9hYVn3omlpg2LRTvUVzcfFRBz3
9pJUIWiHDYoFzMqvIh6fMHKyub2MgXvLcsD04qozGvOvjxjuqU7IrLqPpnj/jmSS
SgXLlin0T84PZNaUbFJ4GbJBLC6zs8/eaZRxrKuulre0oMor2zWlqws3G2HjpYa/
X7Nw4KTNcn5T0Qyp25KznIcDqpwCoIqZwYQ2CU250P7XvDvfbs9utCTU9BcILQm2
ub0AwUYII84GbIXQnO6pYE0PbN8yP48lAcKNpBy9ooQvIf0fKBMTYM1J7n3D2wCJ
tRmI4xZjakDyLe78H+GxK0K03sSrTZFhhHB0n4+GvjxW8K0oR75EE6Zfdn2KCiU/
3C47Q5nHRFdxvFiP2arVV3qCIRs46MA6nwUpnjJnCXu42XJpeKPsfp/foQARAQAB
tCJDYXNhIFNlY3VyaXR5IDxzZWN1cml0eUB0ZWFtLmNhc2E+iQJUBBMBCAA+AhsD
BQsJCAcCBhUKCQgLAgQWAgMBAh4BAheAFiEEtjhOQK5Iae+XhX2/gizqUN+puZcF
AmAR2AsFCQeE6VYACgkQgizqUN+puZdnXw//RvN/dLM6CNedl6aTiVcx9oQ6bnT4
kaLj0KmSnZwh6CHSE4fGKigYRiRn1FfXOK6AfUhedp+PXZ1ge8mqkRqqR6RLgt5l
ZVqVu8c9656EIgI4sBxoZWdXDoHqf5COQSu60Z4GqDI9Ok1kRnyy4wrYWB5m3oC8
9NETgrgNTX1hAl4NXFI0je8KegGYfNRKffkwRv2ge1OD3t9U9d+DtTFDoIA/SgSJ
hzCfK6Blgm5pZC17nBANEyaGSVXzB42fG0vxF/2nov37tfhfDE48J2XbyTFG1xL0
aby9y6b547f1pYABlESb5LjzBR1Vy/E+2rlOhbuK3qc5lwltD4cPq2CZqxwtdYnm
u3VpO1bjzDRO+BGiN3u9SbY/9dy9Cu7RaF8aY2/fOJU7cnQAoDU5pceeFWygqJyX
t92PNLaGclUK7mI0l35d4HL+2WOPG61wFsrrZsnU+ZqyT9jcAyLpR7oTCAtoenjL
OUOQQebjGpNyZW04D5zmdGDkH4WxDjurqYOWOpvawxvKokO4PidQxzPLFNrWDS0l
YoP8klrk/oCDmRkwZFNB3+ktEaasO7DeU78peJDBbmM4kREn14mfQDmk4mzL2WLy
M8zS7FzF5TomFUlb/OcoEbh+2PPRI5k7WpmLBhAT4KyMIchh/KDqVkMe/45rE5zO
1V3U82FL+9pAGz+5Ag0EXFIWQQEQANTlF1e84IZF/ve3GEqgSOornyQbyc6OHrB0
SHbGJZq8ZyzykPO2PuGLae/O+fybquNGuprzSPTJ5X5fAxFF1Rbr5ik8IlMjm17E
w2Q4AhRcWxgV6FqJ5wIh5TIoan9ZAxKM2HCfP6bOC7uLzwLFAYKGiVtpNLhLkfZU
FgcwFpadiHSzsrfkeGoC1PQo7cFOfvP4C63DEKTZbEFYpIn8UD0bh3Q80nuJZr1j
VGEoV81DSKlGKlpB5KAmgYT5gQ63oHmf+AEuKT2tqUX/pa+MqTpskM2A5MwbAO0t
YpCjY7KuL8PyxOhPgGSu6fJmfQ0R+hd62PSLR6lqNI51ScwdHBNmFVWSy/kXdcy+
fgU+St2dG+4rRQt8swUI3NPiWeA3InxYk3PI4bIN/1k5VShnhVsN1lllhffNyTCK
0LzoQjvUCUfBHp0p/0nTV6dmnI6xByoOGrz/Kw1EfkoSoZbBgCAWhcnpsCvm9Obn
AOVSX7ZB7lGN/yvfBm5//NvhtP3UYLUJocol+35QIXoHw0MnFcsGrZyuG89UQhHO
u8dY1mo/nqwqStFfrhTIntw/TS1i4XClfvn5exoBZDkvx2RF3mE/jvqNGmTZglGT
Fn5DXluMIGhYINZ2llM+kndGyuNfJxHscZZjumuiavxZNjHgldBtMHpHAYcpBcru
m/2YcZpdABEBAAGJAjYEGAEIACAWIQS2OE5Arkhp75eFfb+CLOpQ36m5lwUCXFIW
QQIbDAAKCRCCLOpQ36m5l81iD/90FvfxImfiABL1Vn5Asgm2IviEzmDPzhC4Y9Ww
zft+WDnP9cxuMerGiAx0J/wCxbL/dbStJNhL8fteceuKEKZMSxdfaElq8DY0u8Nz
zb+m0vPVE0qVWX+TQycUAaVgkmRk08g6FrbRvp3Cp2v590o+LhNp2rdezLk5YmlA
NTU7CTdlSLd4SAxCOnvfcAvY+RLoCSlMwDfnTL+b2D3MCwrgPhhGdOv5+GYuP5GW
mK3XO/tcGsjcLiMJGXkEJwsRIIoiYyn3C9lXrikjPPyzGHM0GFeMBk4NOM2o4Qi/
3JuunNWmypQOh5H6OtR8VQvTvy5OfdqsCIxRSStfsSXF2ubSaHLr6OdN+GgL1PLE
PvQm5YsN8PtKiYNx3pB2139ModwH12RKISd9NerMhMTj4KqMU7g1q7McVkHgByaY
UWt4MFnx+mnhR7TEeWC/h35FinxckI8Yh17be+XmSJsdMy60sWDbYDxVhcayAnE+
00u5wDostDlTIRoZ9j4NbBm5lwV9meoMOWQAo0ni2B3el98m6D1vrA77PuttIDVD
cQYwonfdw/+1bs0RrIQoS8yKkg0el5B1xq0iyRM5UMeua0VxJ51Mqad82QaCxSx1
J1x0zXLtYUovyuB9r8WG1E/ILYFCsk3spBZnt8/HtZfQrVco9ooVmpGFvQOoTeP3
sJvR/Q==
=49DK
-----END PGP PUBLIC KEY BLOCK-----