Responsible Disclosure Policy

Please email [email protected] to report any security vulnerabilities. We will acknowledge receipt of your vulnerability report the next business day and strive to send you regular updates about our progress. If you’re curious about the status of your disclosure please feel free to email us again. If you want to encrypt your disclosure email, you may download our key from the MIT PGP key server, find it below, or email us to have it sent to you.

Once a vulnerability is fully investigated and its content addressed, we will work with you to disclose the vulnerability in a way that acknowledges your work and protects our customers..

How to Report a Vulnerability

To ensure we can quickly evaluate and respond to your vulnerability report as quickly as possible, please ensure it includes the following information:

  • Impacted product, with version, build, and OS information if Impacted product, with version, build, and OS information if relevant
  • Type of vulnerability
  • Steps to reproduce
  • Evidence supporting the report, e.g. screenshots, console output, etc

Safe Harbor Terms

To encourage research and responsible disclosure of security vulnerabilities, we will not pursue civil or criminal action, or send notice to law enforcement for accidental or good faith violations of the Casa Terms of Service (“the policy”). We consider security research and vulnerability disclosure activities conducted consistent with this policy to be “authorized” conduct under the Computer Fraud and Abuse Act, the DMCA, and other applicable computer use laws.

Please understand that if your security research involves the networks, systems, information, applications, products, or services of a third party (which is not us), we cannot bind that third party, and they may pursue legal action or law enforcement notice. We cannot and do not authorize security research in the name of other entities, and cannot in any way offer to defend, indemnify, or otherwise protect you from any third party action based on your actions.

You are expected, as always, to comply with all laws applicable to you, and not to disrupt or compromise any data belonging to other users.

Please contact us before engaging in conduct that may be inconsistent with or unaddressed by this policy. We reserve the sole right to make the determination of whether a violation of this policy is accidental or in good faith, and proactive contact to us before engaging in any action is a significant factor in that decision. If in doubt, ask us first!

Public GPG Key

  • Casa Security <[email protected]>
  • ID: 822CEA50DFA9B997
  • Fingerprint B638 4E40 AE48 69EF 9785 7DBF 822C EA50 DFA9 B997

-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: SKS 1.1.6
Comment: Hostname:
pgp.mit.edu

mQINBFxPVbUBEAC59VUUH5ysSAgn+BuAHXzm7BXll5AM2fePsRdpwIxrHvFSrKlSfd1aFxzG
98oYTlpyCfhLs/pu6bZxcq9DBl1gwoiV+8Hfuh3y3rqNk9Jq9tWTHR4s6FfdIL9EZz+nZ7yd
2Jxfu6TS9nQ4liJtpww9MAEHQK+Ruo7FIfHpFIIQfyKEgBzlTeUd5YQBb8SJfqZlYPUQw2FS
qUFhZvzOsa1tU3yVPfcwiD22hB5aXqjSjt2dXmqdfdMM8YJU3yubM41eNg4fKIhBsRROTvIG
Bve12Q9hYVn3omlpg2LRTvUVzcfFRBz39pJUIWiHDYoFzMqvIh6fMHKyub2MgXvLcsD04qoz
GvOvjxjuqU7IrLqPpnj/jmSSSgXLlin0T84PZNaUbFJ4GbJBLC6zs8/eaZRxrKuulre0oMor
2zWlqws3G2HjpYa/X7Nw4KTNcn5T0Qyp25KznIcDqpwCoIqZwYQ2CU250P7XvDvfbs9utCTU
9BcILQm2ub0AwUYII84GbIXQnO6pYE0PbN8yP48lAcKNpBy9ooQvIf0fKBMTYM1J7n3D2wCJ
tRmI4xZjakDyLe78H+GxK0K03sSrTZFhhHB0n4+GvjxW8K0oR75EE6Zfdn2KCiU/3C47Q5nH
RFdxvFiP2arVV3qCIRs46MA6nwUpnjJnCXu42XJpeKPsfp/foQARAQABtCJDYXNhIFNlY3Vy
aXR5IDxzZWN1cml0eUB0ZWFtLmNhc2E+iQJUBBMBCAA+FiEEtjhOQK5Iae+XhX2/gizqUN+p
uZcFAlxPVbUCGwMFCQPCZwAFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQgizqUN+puZfQ
wRAAsdQFOcMykB2l5z645q3JU06LVi7mLCLjoZo8ZfwYrbwVzegYjy5Rf/SkW8TaaWopys6u
QdKHFZhyZ8XgPSps2clAB/feCKwj1e6phCourTkDefpxIL6olUrNzOpnj8AxHJpZUBWR0UQ9
DxbjwkIlTvIG+MssxytgZnlFDg3gquwjAcGZ1xx/dyPjpjssRLsY1+/y+mKpYAN4MoJOcdY5
FLQZpADMxwyh30zb3EeUzpuXlczt+u34OPoPaP0HUal80/f2gQ3KOXxBseBpBkp4u5k/lOQs
dEvKAa59El1lP7NNNVgIKaLI9HtllZJjbosL+3sz2WmvdoWnpwK+zGcMMGLaIJaxCpPGUBHn
wP+qm2x2CNDxESIAeFxzEsQvxZodc8Tvw5nac3CwPUxjD+Z6Ks31BzrXsn2Y7mOMvwAKVl7Z
v++0fByRafd6z0aeb6fF6wpBQvlnR9ztIAmOpm2kQIiGJEXjN0Uw19sBAMHN8PMPZu5x3LYb
kW1buTPb/D0YasQU6ybtYq7V2tW3mTnABdiuM14i45dp8UbmPBBocfaaU1tDNg/x7jHS+zB9
X4z0dSIg+z7SUE41Yvz3JJ/BcCcn/kjthbBcy2W7N1LO2QexeYACIljAJ/mszebo94araZTX
D1SKAu+pry+Ug2XrZH3pePN5jdU2K0+55puXFQO5Ag0EXFIWQQEQANTlF1e84IZF/ve3GEqg
SOornyQbyc6OHrB0SHbGJZq8ZyzykPO2PuGLae/O+fybquNGuprzSPTJ5X5fAxFF1Rbr5ik8
IlMjm17Ew2Q4AhRcWxgV6FqJ5wIh5TIoan9ZAxKM2HCfP6bOC7uLzwLFAYKGiVtpNLhLkfZU
FgcwFpadiHSzsrfkeGoC1PQo7cFOfvP4C63DEKTZbEFYpIn8UD0bh3Q80nuJZr1jVGEoV81D
SKlGKlpB5KAmgYT5gQ63oHmf+AEuKT2tqUX/pa+MqTpskM2A5MwbAO0tYpCjY7KuL8PyxOhP
gGSu6fJmfQ0R+hd62PSLR6lqNI51ScwdHBNmFVWSy/kXdcy+fgU+St2dG+4rRQt8swUI3NPi
WeA3InxYk3PI4bIN/1k5VShnhVsN1lllhffNyTCK0LzoQjvUCUfBHp0p/0nTV6dmnI6xByoO
Grz/Kw1EfkoSoZbBgCAWhcnpsCvm9ObnAOVSX7ZB7lGN/yvfBm5//NvhtP3UYLUJocol+35Q
IXoHw0MnFcsGrZyuG89UQhHOu8dY1mo/nqwqStFfrhTIntw/TS1i4XClfvn5exoBZDkvx2RF
3mE/jvqNGmTZglGTFn5DXluMIGhYINZ2llM+kndGyuNfJxHscZZjumuiavxZNjHgldBtMHpH
AYcpBcrum/2YcZpdABEBAAGJAjYEGAEIACAWIQS2OE5Arkhp75eFfb+CLOpQ36m5lwUCXFIW
QQIbDAAKCRCCLOpQ36m5l81iD/90FvfxImfiABL1Vn5Asgm2IviEzmDPzhC4Y9Wwzft+WDnP
9cxuMerGiAx0J/wCxbL/dbStJNhL8fteceuKEKZMSxdfaElq8DY0u8Nzzb+m0vPVE0qVWX+T
QycUAaVgkmRk08g6FrbRvp3Cp2v590o+LhNp2rdezLk5YmlANTU7CTdlSLd4SAxCOnvfcAvY
+RLoCSlMwDfnTL+b2D3MCwrgPhhGdOv5+GYuP5GWmK3XO/tcGsjcLiMJGXkEJwsRIIoiYyn3
C9lXrikjPPyzGHM0GFeMBk4NOM2o4Qi/3JuunNWmypQOh5H6OtR8VQvTvy5OfdqsCIxRSStf
sSXF2ubSaHLr6OdN+GgL1PLEPvQm5YsN8PtKiYNx3pB2139ModwH12RKISd9NerMhMTj4KqM
U7g1q7McVkHgByaYUWt4MFnx+mnhR7TEeWC/h35FinxckI8Yh17be+XmSJsdMy60sWDbYDxV
hcayAnE+00u5wDostDlTIRoZ9j4NbBm5lwV9meoMOWQAo0ni2B3el98m6D1vrA77PuttIDVD
cQYwonfdw/+1bs0RrIQoS8yKkg0el5B1xq0iyRM5UMeua0VxJ51Mqad82QaCxSx1J1x0zXLt
YUovyuB9r8WG1E/ILYFCsk3spBZnt8/HtZfQrVco9ooVmpGFvQOoTeP3sJvR/Q==
=scuI
-----END PGP PUBLIC KEY BLOCK-----