A vulnerability disclosure policy (VDP), also referred to as a responsible disclosure policy, describes how an organization will handle reports of vulnerabilities submitted by ethical hackers. A VDP must thus be easily identifiable via a simple way, a security.txt notice.

Contact: security@web-infra.com
Preferred-Languages: en
Canonical: https://web-infra.com/.well-known/security.txt


We value the security of our systems and appreciate your help in keeping them safe. If you discover a vulnerability, please follow these guidelines:

- Email your findings to the email above.
- Do not run automated scanners on our infrastructure, portal, control panels and/or systems without permission.
- Do not exploit the vulnerability, such as downloading any sensitive data or modifying others' data.
- Do not disclose the issue to others until it is resolved.
- Do not use physical security attacks, social engineering, DDoS, spam, or third-party applications.
- Provide enough information to reproduce the problem, including IP address or URL of the affected system and a description of the vulnerability.


Out of scope vulnerabilities:

- Clickjacking on non-sensitive pages
- Unauthenticated/logout/login CSRF
- Attacks requiring physical or MITM access
- Activities that may disrupt our service (DoS)
- Content spoofing and text injection without demonstrating an attack vector/modifying HTML/CSS
- Email spoofing
- Missing DNSSEC, CAA, CSP headers, DMARC or any other DNS records
- Lack of Secure or HTTP only flag on non-sensitive cookies
- Deadlinks


What we promise:

- We will respond to your report within 7 business days with an evaluation and expected resolution date.
- If you followed our instructions, we will not take legal action against you for the report.
- We will treat your report with strict confidentiality and not share your personal details without permission.
- We will keep you updated on the progress of resolving the issue.
- We will credit you as the discoverer of the problem in public information (unless you prefer otherwise).
- We aim to resolve problems quickly and welcome your involvement in the eventual public disclosure after resolution.