01Report a vulnerability
We welcome reports from security researchers. Send findings to [email protected] with the affected URL, reproduction steps, and any proof-of-concept. We reply within 3 business days and coordinate disclosure with you.
A machine-readable security.txt file is available at /.well-known/security.txt (RFC 9116).
02Safe-harbour policy
Good-faith security research is welcome. We will not pursue civil or criminal action against researchers who: (a) act within the scope defined below, (b) do not disrupt service, (c) do not access or exfiltrate customer data beyond the minimum needed to prove impact, and (d) give us reasonable time to fix the issue before public disclosure.
03Scope
- eksneks.com, leader.eksneks.com, mail.eksneks.com (public web + API surfaces)
- All /wp-json/eksneks/* REST endpoints
- Public-facing infrastructure and DNS misconfigurations
- Denial-of-service, resource-exhaustion or rate-limit brute force
- Physical or social-engineering attacks against staff or contractors
- Missing HTTP headers without demonstrated impact
- SPF/DKIM/DMARC configuration for domains we do not administer
- Third-party vendor issues (report directly to the vendor)
04Recognition
We maintain a hall of fame for researchers who report valid issues and follow this policy. Financial rewards are considered on a case-by-case basis for high-impact findings.
05PGP key
For sensitive reports, our PGP public key fingerprint is published at /.well-known/security.txt. Encrypt your report to that key before sending.