Context
  1. FaceTo-AI Tool Docs
Context
  • FaceTo-AI Tool Docs
    • Getting Started
    • Server APIs
    • Security
    • About ChatAPI
    • API Docs
      • Get FaceTo-AI Room Link
  1. FaceTo-AI Tool Docs

Security

Responsible Vulnerability Disclosure Policy#

Introduction#

FaceTo-AI welcomes feedback from security researchers and the general public to help improve our security. If you believe you have discovered a vulnerability, privacy issue, exposed data, or other security issues in any of our assets, we want to hear from you. This policy outlines steps for reporting vulnerabilities to us, what we expect, what you can expect from us.

Our Commitments#

When working with us, according to this policy, you can expect us to:
Respond to your report promptly, and work with you to understand and validate your report;
Strive to keep you informed about the progress of a vulnerability as it is processed;
Work to remediate discovered vulnerabilities in a timely manner, within our operational constraints; and
Extend Safe Harbor for your vulnerability research that is related to this policy.

Our Expectations#

In participating in our vulnerability disclosure program in good faith, we ask that you:
Play by the rules, including following this policy and any other relevant agreements. If there is any inconsistency between this policy and any other applicable terms, the terms of this policy will prevail;
Report any vulnerability you’ve discovered promptly;
Avoid violating the privacy of others, disrupting our systems, destroying data, and/or harming user experience;
Use only the Official Channels to discuss vulnerability information with us;
Provide us a reasonable amount of time (at least 90 days from the initial report) to resolve the issue before you disclose it publicly;
Perform testing only on in-scope systems, and respect systems and activities which are out-of-scope;
If a vulnerability provides unintended access to data: Limit the amount of data you access to the minimum required for effectively demonstrating a Proof of Concept; and cease testing and submit a report immediately if you encounter any user data during testing, such as Personally Identifiable Information (PII), Personal Healthcare Information (PHI), credit card data, or proprietary information;
You should only interact with test accounts you own or with explicit permission from the account holder;
Do not distribute inappropriate or illegal content on LiveKit servers or services; and
Do not engage in extortion.

Performing your research#

Do not impact other users with your testing, this includes testing vulnerabilities in projects or organizations you do not own. If you are attempting to find an authorization bypass, you must use accounts you own.
The following are never allowed and are ineligible for reward:
Performing distributed denial of service (DDoS) or other volumetric attacks;
Spamming content; or
Large-scale vulnerability scanners, scrapers, or automated tools which produce excessive amounts of traffic.
Note: We do allow the use of automated tools so long as they do not produce excessive amounts of traffic. For example, running one nmap scan against one host is allowed, but sending 65,000 requests in two minutes using Burp Suite Intruder is excessive.

Handling personally identifiable information (PII)#

Personally identifying information (PII) includes:
Legal and/or full names;
Names or usernames combined with other identifiers like phone numbers or email addresses;
Health or financial information (including insurance information, social security numbers, etc.);
Information about political or religious affiliations; and
Information about race, ethnicity, sexual orientation, gender, or other identifying information that could be used for discriminatory purposes.
Do not intentionally access others’ PII. If you suspect a service provides access to PII, limit queries to your own personal information.
Report the vulnerability immediately and do not attempt to access any other data. The LiveKit Security team will assess the scope and impact of the PII exposure.
Limit the amount of data returned from services. For SQL injection, for example, limit the number of rows returned
You must delete all your local, stored, or cached copies of data containing PII as soon as possible. We may ask you to sign a certificate of deletion and confidentiality agreement regarding the exact information you accessed. This agreement will not affect your bounty reward.
We may ask you for the usernames and IP addresses used during your testing to assess the impact of the vulnerability

Official Channels#

Please report security issues via panohire@gmail.com, providing all relevant information. The more details you provide, the easier it will be for us to triage and fix the issue.
Modified at 2023-07-14 08:31:12
Previous
Server APIs
Next
About ChatAPI
Built with