Responsible Disclosure Policy

At eu4ua, the security of refugees, hosts and volunteers data is our priority. The purpose of this page (the “Responsible Disclosure Policy”) is to provide you with all the information you need if you have discovered a potential vulnerability in any of our products or services.

We really appreciate the help of our community and to make sure that any disclosures are made responsibly. Please ensure you follow the terms below:

You can submit issues to security@eu4ua.org and please include the following information:

  • affected URL or IP address
  • a description of the issue including a list of steps to reproduce the issue
  • the period of time during which you were able to observe the issue

As we are an association, please note that we do not offer a bug bounty program. This means that we do not pay rewards for disclosed security vulnerabilities.

SCOPE

Scope includes all assets behind eu4ua.org expect those related to 3rd parties.

WHAT WE ASK OF YOU

  • When searching for potential weaknesses on our system, please make sure you setup the following header. That way it will help us to discriminate your testings from a malicious actor.
X-Bug-Hunter: <nickname>

  • Do not hesitate to share with us the IP Address you used for your tests while sending your report.
  • If you discover an issue that reveals personal data (PII), you must ensure this is deleted as soon as you have made the disclosure.
  • You do not violate any other applicable laws or regulations.

FAQs

What shouldn’t I be reporting?

  • Sender Policy Framework (SPF), DKIM and DMARC configuration suggestions
  • Disclosure of known public files or directories (e.g. robots.txt)
  • Banner disclosure on common/public services
  • Phishing or Social Engineering Attacks

When will I hear from you after making a disclosure?

Our team will send you a reply to let you know that we received your report, and will contact you if we need more information.

Can I publish anything about the vulnerability after my disclosure?

After review and issue fixed by our team, we will send you a written consent to disclose the issue.

Thank you for your support.