The Loom team and community take the security of our software seriously. We appreciate your efforts to responsibly disclose your findings, and we will make every effort to acknowledge your contributions.

If you believe you have found a security vulnerability in Loom, please report it to us as soon as possible. We ask that you do not disclose the vulnerability publicly until we have had a chance to address it.

Please report vulnerabilities via one of the following methods:

• Email: Send an email to [dark@nightconcept.net](mailto:dark@nightconcept.net) with a detailed description of the vulnerability, steps to reproduce it, and any potential impact.
• Issue Tracker (Private): If you prefer, you can report the vulnerability through our private issue tracker [here](https://github.com/nightconcept/Loom/security/advisories).

We aim to acknowledge receipt of your vulnerability report within 3 business days.

Our goal is to address and fix any reported security vulnerability in a timely manner. Here is our general process:

1. Confirmation: We will confirm the vulnerability and determine its impact. We may contact you for more information during this phase. This typically takes up to 7 days.
2. Remediation: Our team will work on a fix for the vulnerability. The timeline for this can vary depending on the complexity of the vulnerability, but we aim to have a patch ready within 30 days of confirmation. For more complex issues, this might extend up to 90 days.
3. Disclosure: Once the vulnerability is fixed and a new version is released, we will make a public disclosure. This disclosure will typically include a description of the vulnerability and credit to the reporter, unless you request to remain anonymous. We believe in transparent disclosure practices.

We are committed to a coordinated vulnerability disclosure process. We expect to work closely with the reporter throughout the lifecycle of the vulnerability.

This policy applies to the latest stable release of Loom. If you are using an older version, please consider upgrading before reporting a vulnerability, as it may have already been addressed.

The following are generally considered out of scope for our vulnerability disclosure program:

• Denial of service attacks that require significant volumetric resources. *Social engineering or phishing attacks. *Vulnerabilities in third-party dependencies (please report those to the respective projects, though we appreciate a heads-up if it impacts Loom).

Thank you for helping keep Loom secure. Your efforts in responsible disclosure are highly valued.