The safety and security of our customers’ data are of utmost importance to Gorgias. We aim to design and make products and services with the highest levels of security and reliability. Despite our best efforts, due to the highly complex and sophisticated nature of our products and services, vulnerabilities and errors may still be present.

To that end, we welcome responsible and ethical disclosure of potential security vulnerabilities from security researchers, customers and the general public.

This policy outlines our expectations for the responsible disclosure of security vulnerabilities, and the process by which they will be handled.

Scope

This policy applies to any digital assets owned, operated, or maintained by Gorgias, including subdomains of gorgias.com, gorgias.chat, gorgias.io and gorgias.help.

This excludes third-party services that can be accessed through one of our subdomains or that are integrated with one of our products.

We do not accept reports for vulnerabilities solely affecting our marketing website (www.gorgias.com) which contains no sensitive data. In addition, reports that describe theoretical attack vectors without substantiated proof of exploitability are excluded.

Gorgias’ commitments

When you disclose an issue to us in accordance to this policy, you can expect Gorgias to:

• Respond to your report within 5 business days, and work with you to understand and address it
• Take actions to fix the reported vulnerabilities as soon as possible, unless the vulnerability is about an accepted risk on our side
• Keep you informed about our progress in fixing the issue
• Keep information about you and the vulnerability you disclose confidential, unless otherwise agreed upon.

Guidelines

When you disclose an issue to us in accordance to this policy, you agree to:

• Act in good faith and avoid misusing the systems and applications in ways that damage Gorgias or our customers
• Notify us as soon as you discover a real or potential security issue
• Only disclose the issue to third parties, or the public, after we deploy a fix, and with the express prior written authorization of Gorgias.
  • The agreement will include the timing of the disclosure and the degree of details to include
• Make your report without any expectation or requirement of reward or other benefit, financial or otherwise, and without any expectation or requirement that the issues reported are corrected by Gorgias

You also agree to:

• Not access, modify, or remove data that belongs to accounts that you did not create yourself
• Not use an exploit to compromise or exfiltrate data, establish persistent command line access, or pivot to other systems.
  • Exploits should only be used to the extent necessary to confirm a vulnerability’s presence. In case of doubt, please report the issue to us for confirmation.
• Not submit high volume of low quality reports (such as just pasting the results of scanners)
• Not use any of the following test methods:
  • Network denial of service (DoS or DDoS) tests or other tests that impair access to or damage a system or data
  • Physical testing (e.g. office access, open doors, tailgating)
  • Social engineering (e.g. phishing, vishing), or any other non-technical vulnerability testing

Authorization

If you make a good faith effort to comply with this policy during your security research, we will consider your research to be authorized, we will work with you to understand and resolve the issue quickly, and Gorgias commits not to engage in litigation pertaining to your research or findings. Should legal action be initiated by a third party against you for activities that were conducted in accordance with this policy, we will make this authorization known.

Reporting an issue

What to include in your report

Your report, should at minimum include:

• The affected endpoints/URLs
• A description of the issue found
• A description of the security impact
• Specific, detailed steps to reproduce the issue
  • Include screenshots, videos, HAR files and code snippets where possible

If you’re a customer

Submit a ticket to our support team.

If you’re a security researcher

Consult our public .well-known/security.txt for contact details.