Responsible Disclosure Policy


At Carta we are committed to keeping our customers’ data secure and private. We take security seriously and to demonstrate that security is a priority to us we ensure that our Responsible Disclosure Policy allows the independent security researchers an opportunity to engage with us and notify us of potential security threats impacting the safety of our customers’ data. If you believe you have discovered a potential vulnerability that affects our services, please, let us know. 

For any activity you conduct in accordance with the Responsible Disclosure Policy guidelines below, Carta will not take legal actions against you.


General Policy Guidelines

  • Do not disclose the potential security issue to any third party including, but not limited to social media outlets without Carta’s prior written permission.
  • Do not engage or perform any form of attacks that could harm the availability, integrity, or confidentiality of our service.
  • Do not engage in any form of spamming or phishing of our customers or potential customers.
  • Do not engage in any form of social engineering against Carta employees, customers, or infrastructure.
  • Do not engage in acts of intimidation or extortion.
  • Do not violate the privacy of others, disrupt our systems, destroy data, and/or harm the user.
  • If a vulnerability provides unintended access to data: cease testing and submit a report immediately (e.g., if you encounter any user data during testing, such as personal information or proprietary information)
  • Submission of a report does not create an employment, or agency relationship between you and Carta.
  • you’re prohibited from participating in the program if you are a resident of any U.S. embargoed jurisdiction, including but not limited to Iran, North Korea, Cuba, the Crimea region, and Syria; or if you are on the U.S. Treasury Department’s list of Specially Designated Nationals or the U.S. Department of Commerce Denied Persons List.  By participating in the program, you represent and warrant that you are not located in any such country or on any such list. 
  • Payment of any reward is made at Carta’s sole discretion.
  • When in doubt, please email
  • Carta may modify this policy from time to time.

Reporting Guidelines

Do provide sufficient information to reproduce the problem, so we will be able to resolve it as quickly as possible. Please, fill out the form at the bottom of the page so we can intake and review your submission.

We will investigate any details you provide and respond as soon as possible, usually within three business days, and will keep you reasonably informed of the status of any validated vulnerability that you report through this program


Vulnerability Submission Form