Responsible Security Disclosure Policy
Eventurk Security Policy
This policy defines the principles for reporting security vulnerabilities in a secure, controlled, and traceable manner.
Contact
Please submit reports to [email protected]. To accelerate triage, include [Security Report] in the subject line and document each finding under a separate heading.
[email protected]Process
Initial review
Each submission is reviewed for technical reproducibility and scope alignment.
Triage
Findings are prioritized based on exploitability, impact, and user risk.
Remediation and closure
Remediation is implemented, validated, and then formally closed.
In Scope
- Web application flows, session handling, and authorization controls
- API access control issues, data exposure, and integrity risks
- Account takeover and privilege escalation scenarios
- XSS, CSRF, SSRF, SQL/NoSQL injection, and RCE-class vulnerabilities
Out of Scope
- Social engineering, physical intrusion, or phishing campaigns
- DoS/DDoS and stress testing that may affect service availability
- Scanner-only submissions without reproducible PoC evidence
- Third-party systems outside Eventurk operational control
Required Report Structure
- Clearly specify affected URLs/endpoints, parameters, and required role.
- Provide reproducible steps in a clear execution order.
- Attach technical evidence such as PoC artifacts, logs, or screenshots.
- Briefly compare expected behavior with observed behavior.
Responsible Disclosure Requirements
Public disclosure of vulnerability details should be deferred until remediation is complete. Testing must not involve data modification/deletion, user impact, service disruption, or abusive activity.
This policy is reviewed and updated periodically. The latest version is published at /security-policy and /.well-known/security.txt.