Responsible Disclosure Policy
Guidelines for reporting security vulnerabilities in WebDirect systems.
To report a vulnerability, email us at:
[email protected]Scope
This policy applies to security vulnerabilities found in webdirect.md, associated subdomains, and the WebDirect API. It does not apply to third-party services used by WebDirect.
How to Report
Email [email protected] with a clear description of the vulnerability, steps to reproduce, potential impact, and any proof-of-concept (without causing harm). For sensitive reports, use our PGP key available at /.well-known/pgp-key.txt.
What to Expect
We will acknowledge your report within 2 business days, investigate and provide an initial assessment within 10 business days, and keep you informed of remediation progress. We aim to fix critical vulnerabilities within 30 days.
Rules of Engagement
Do not access, modify, or delete data beyond what is necessary to demonstrate the vulnerability. Do not perform denial-of-service attacks. Do not exploit the vulnerability or disclose it publicly before we have had a reasonable time to remediate.
Our Commitments
We will not pursue legal action against researchers who follow this policy. We will acknowledge your contribution (with your consent) in our security acknowledgments. We do not currently operate a formal bug bounty program, but we recognize and appreciate responsible researchers.
Out of Scope
Social engineering attacks on employees, physical attacks, volumetric DDoS, and findings from automated scanners without manual validation are out of scope.