Security

Responsible Disclosure

Found a security vulnerability in CrashCatch? We want to hear from you. Here's how to report it safely.

To report a security vulnerability, email us directly at security@crashcatchlabs.com. Please encrypt sensitive reports using our PGP key (see below).

Our Commitment

CrashCatch processes crash dumps that may contain sensitive application state. We take the security of our software and the data entrusted to us seriously.

If you report a vulnerability to us in good faith, we commit to:

  • Acknowledge your report within 48 hours.
  • Provide an initial assessment and estimated timeline within 7 business days.
  • Work with you to understand and reproduce the issue.
  • Notify you when the vulnerability has been resolved.
  • Credit you in our changelog (unless you prefer to remain anonymous).
  • Not take legal action against researchers acting in good faith.

What to Include in Your Report

A useful vulnerability report includes:

  1. A clear description of the vulnerability and its potential impact.
  2. The affected component (desktop application, web service, API, etc.).
  3. Step-by-step instructions to reproduce the issue.
  4. Any proof-of-concept code, screenshots, or output demonstrating the vulnerability.
  5. Your assessment of severity (CVSS score if possible).
  6. Whether you would like to be credited publicly.

Scope

The following are in scope:

  • The CrashCatch web service and API at crashcatchlabs.com
  • The CrashCatch desktop application (CrashCatch Analyze)
  • The CrashCatch Runtime client library
  • Authentication and authorisation mechanisms
  • Data handling and crash data isolation between accounts

The following are out of scope:

  • Cloudflare infrastructure (report directly to Cloudflare)
  • Mailchimp / third-party services we use
  • Social engineering or phishing attacks against CrashCatch Labs staff
  • Denial-of-service attacks
  • Issues in third-party dependencies that have already been publicly disclosed

Coordinated Disclosure

We follow a coordinated disclosure model. We ask that you give us a reasonable amount of time — typically 90 days — to investigate and remediate a vulnerability before publishing any details publicly.

If you believe a vulnerability is being actively exploited in the wild, please note this clearly in your report and we will treat it as a priority.

PGP Key

For sensitive reports, please encrypt your email to security@crashcatchlabs.com. Our PGP key will be published here once the product enters public beta.

Contact

Security reports: security@crashcatchlabs.com
General contact: hello@crashcatchlabs.com