Security policy
We take the security of this site and its users seriously. This page describes how to report a vulnerability and what we commit to in response.
Reporting a vulnerability
If you discover a security vulnerability in this site or its supporting infrastructure, please report it responsibly. Do not open a public GitHub issue for security vulnerabilities.
Preferred method: Email security@eucybersecurity.org with a description of the vulnerability, steps to reproduce, and potential impact. We will acknowledge receipt within 48 hours.
You can also see our security.txt for machine-readable disclosure contact information.
Coordinated disclosure
We follow a coordinated disclosure policy. We ask that you give us a reasonable time to investigate and remediate before any public disclosure — typically 90 days unless the vulnerability is being actively exploited.
We will not take legal action against good-faith researchers who report vulnerabilities according to this policy.
Scope
In scope for responsible disclosure:
- The eucybersecurity.org website and its subdomains
- The public API endpoints
- Authentication and session handling
- Injection vulnerabilities (SQLi, XSS, SSRF, etc.)
Out of scope:
- Denial-of-service attacks
- Social engineering of staff
- Physical attacks
Security headers
This site serves strict security headers on all responses, including Content-Security-Policy (nonce-based), HSTS with preload, X-Frame-Options: DENY, and Permissions-Policy.