A reference about our practices and policies to ensure security and privacy across our services.
We believe that no technology is perfect and that working with skilled security researchers is crucial in identifying weaknesses. Our bounty program is a way to reward the security researchers that help us with this task. We also publish postmortems to document issues once they are fixed.
If you believe you’ve discovered a bug in Open Collective’s security, please get in touch at [email protected]. We will respond as quickly as possible to your report. We request that you not publicly disclose the issue until it has been addressed by Open Collective.
We investigate legitimate reports and make every effort to quickly resolve vulnerabilities. To encourage responsible reporting, we will not take legal action against researchers nor ask law enforcement to investigate them providing they comply with our security policy and more generally with the following guideline: Make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our services.
Open Collective doesn't store any credit card number, we're instead relying on our partner Stripe - a secure solution that is widely adopted by the industry. If our systems are compromised, we can't lose your credit card number because we simply don't have it.
Passwordless authentication, by its nature, eliminates the problem of using an unsafe password. This means that one of the biggest user errors is taken out of your login. Not only is passwordless authentication safe to use, it might even be safer than a traditional username + password login.