Security

We’ve been called paranoid. That may be so, but more importantly we’re passionate about security, cryptography, and privacy, and how they can improve our lives. We channel that passion into a security-first model of development that we believe goes beyond industry standards. It is very important to us that we secure our systems and our users’ data.

Unfortunately, we are not infallible.

Fortunately, there are…

Security Researchers

We value the work that security researchers do every day to make the Internet safer.

If you are a security researcher and you have found a vulnerability in Masqt, please send an email to (PGP key). Please provide your name, contact details, and (if relevant) your company name in each report.

We give priority to encrypted reports. Please remember to attach your public key!

Responsible disclosure

The privacy and security of our users is of paramount importance, and we want to know immediately if and how their data may be compromised. To encourage responsibility, we commit neither to take legal action against you nor to task law enforcement to investigate you, provided you adhere to the following guidelines:

  1. Provide details of the vulnerability, including the information necessary to reproduce it, and a proof of concept
  2. Make a good-faith effort to avoid destruction of our data, violation of our users’ privacy, and interruption of our service
  3. Do not modify or access data that do not belong to you
  4. Allow us a reasonable amount of time to fix an issue before making any information public

We will respond to all reports as soon as possible, and not longer than two business days.

If you are looking to report an abuse of the Masqt service, please refer to our Abuse page.

Hall of Fame

While we don’t yet have the resources to offer a bug bounty, we applaud the contributions of security researchers and we want to recognise yours. If you report a confirmed vulnerability, we’ll add gladly add your name here.

Venkat Malla

Pratik Dabhi – Discovered missing rate limiting on password resets.

Mehmet Can Güneş

Bilal Abdul Muqeet – Discovered content disclosure in wp-json.