Consider adding a section on discovering and reporting security bugs

[psifertex]

At the very least, making sure you have a security@sameroom.io would be helpful since it looks like you don't currently have one.

And consider maybe making some changes to your TOU to explain what you consider legitimate. For example, do you allow third parties to try to find flaws in your software without fear of legal retaliation as long as such use is non-malicious and reported to you? There are a lot of options up to and including offering a bug bounty. Multiple third party services like hackerone can help manage that process too.

Here's how Slack handles it, eg: https://slack.com/whitehat https://hackerone.com/slack

Slightly related if you're interested in the topic: https://hackerone.com/blog/vulnerability-coordination-maturity-model

[abs]

Added "Reporting Security Issues" to https://sameroom.io/blog/sameroom-security-overview/

Thanks!

[psifertex]

Thanks! I would again reiterate the suggestion that creating a security@sameroom.io alias for the it email address as that's the industry standard, but having that section added is a great start, thanks for the quick reply!