From 5a53c0313c49959f2b0c7cd3d9dc07d16ccb7de2 Mon Sep 17 00:00:00 2001 From: Tom Piccirello <8296030+Piccirello@users.noreply.github.com> Date: Thu, 9 Oct 2025 15:24:43 -0700 Subject: [PATCH] Add section about reporting phishing emails (#13152) * Add section about reporting phishing emails * Update security report info for consistency * Remove duplicate info --- SECURITY.md | 2 +- contents/handbook/company/security-advisories.md | 2 +- contents/handbook/company/security.md | 15 ++++----------- 3 files changed, 6 insertions(+), 13 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index 4935c7f80..efbc1ccb8 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -2,6 +2,6 @@ ## Reporting a Vulnerability -Please report security vulnerabilities to security@posthog.com. +Security vulnerabilities and other security related findings can be reported via our [vulnerability disclosure program](https://bugcrowd.com/engagements/posthog-vdp-pro) or by emailing [security-reports@posthog.com](mailto:security-reports@posthog.com). We currently do not operate a bug bounty program, but we will generously reward you with merch for any actionable security vulnerabilities found. diff --git a/contents/handbook/company/security-advisories.md b/contents/handbook/company/security-advisories.md index 1d09093d9..ce57d47e8 100644 --- a/contents/handbook/company/security-advisories.md +++ b/contents/handbook/company/security-advisories.md @@ -22,7 +22,7 @@ For more information about our security practices, see our [main security page]( ## Reporting security issues -If you discover a security vulnerability in PostHog products or services, please report it to us at **[security@posthog.com](mailto:security@posthog.com)**. Valid findings will be rewarded with PostHog swag. +Security vulnerabilities and other security related findings can be reported via our [vulnerability disclosure program](https://bugcrowd.com/engagements/posthog-vdp-pro) or by emailing [security-reports@posthog.com](mailto:security-reports@posthog.com). Valid findings will be rewarded with PostHog swag. ## Updating this page diff --git a/contents/handbook/company/security.md b/contents/handbook/company/security.md index 27763e50e..ffe94733f 100644 --- a/contents/handbook/company/security.md +++ b/contents/handbook/company/security.md @@ -80,17 +80,10 @@ Security vulnerabilities and other security related findings can be reported via For information about current and past security advisories and CVEs, see our [advisories & CVEs page](/handbook/company/security-advisories). -## Secure communication (aka preventing or detecting social engineering) +## Reporting phishing -We have a few policies in place to prevent social engineering attacks. +If you receive a phishing or malicious email, it's useful to report it to the security team so that they can make other employees aware. Forward these emails to [security-internal@posthog.com](mailto:security-internal@posthog.com). -For our internal communications, we have the following policies: -- We do not use email for critical communications. -- We do not use SMS for critical communications. -- We do not use phone for critical communications. +## Secure communication (aka preventing social engineering) --> We only use Slack for critical communications - -In case you should receive a suspicious email or other form of communication, please do not click on any links or open any attachments. Instead, please contact the team or person directly via Slack. E.g. if someone claims to be James, send them a message on Slack and ask "James, am I in a call with you right now?". This is a great and easy way to verify if this is legit. The same goes for any other form of communication. - -Please report any suspicious communications to `#project-security` on Slack. +We follow several best practices to combat social engineering attacks. See [Communication Methods](/handbook/company/communication#communication-methods) for more information.