Responsible Disclosure
Security is our daily work, so we take it seriously at home too. If you find a vulnerability in our systems, we want to hear about it. Here we describe how to report it safely and what you can expect from us.
How to report a vulnerability
Write to us at contact@elementrica.com. You will also find the security team’s contact details in machine-readable form in our security.txt file.
In your report, briefly describe: what the vulnerability concerns, how to reproduce it (step by step) and what impact it may have. Attach proof (for example a screenshot or request), but without unnecessary access to data.
Scope
These rules apply to services and systems owned by Elementrica, including this site. If you are not sure whether a given resource belongs to us, ask before you start testing.
Rules for safe testing
So that your actions are safe for both sides, stick to a few rules. Please:
- act in good faith and only within the scope needed to demonstrate the vulnerability,
- do not access, modify or delete other people’s data,
- do not run availability attacks (DoS/DDoS) or performance tests,
- do not use social engineering against our employees, clients or contractors,
- do not use the vulnerability beyond what is necessary to confirm it,
- give us a reasonable time to fix it before you disclose details publicly.
Our commitments
In return, we commit to:
- keep you informed of progress in the analysis and fix,
- not take legal action against people acting in good faith and in line with these rules,
- thank the author of the report, if they agree to it.
What we do not treat as a vulnerability
We usually do not qualify reports concerning only:
- missing security headers without a demonstrated real impact,
- automated scanner results without confirmation that they can be exploited,
- purely theoretical issues or ones that require unlikely conditions.