Responsible Disclosure Policy

How to report

Email security@efros.com with a clear description, reproduction steps, and any artefacts (screenshots, request/response pairs, proof-of-concept code). Please do not file public issues for security reports.

For encryption, request our PGP key in your initial email and we will respond with one. Reports are also accepted in Romanian.

Scope

• efros.com and all subdomains we operate
• The contact API at /api/contact
• Public client-side JavaScript shipped from this domain

Out of scope

• Volumetric DDoS, brute-force without business impact
• Reports from automated scanners without a working proof-of-concept
• Vulnerabilities in third-party services we don't control (CookieYes, GTM, Clarity, etc.) — please report to that vendor
• Missing best-practice headers without a demonstrable impact
• Self-XSS that requires a victim to paste attacker-controlled code into devtools
• Email spoofing without bypass of SPF / DKIM / DMARC (we publish DMARC p=reject)

Safe harbour

Good-faith research conducted under this policy is welcome. We will not pursue or support legal action for research that:

• Stays within the scope above
• Avoids privacy violations, service degradation, and data exfiltration beyond the minimum needed to demonstrate impact
• Reports privately and gives us reasonable time to remediate

Our commitments

• Acknowledge receipt within 3 business days
• Provide a triage decision within 10 business days
• Keep you informed of remediation progress
• Credit you publicly on this page if you wish (and after the issue is fixed)

Coordinated disclosure

We ask that you keep findings confidential until we've issued a fix. The default coordinated-disclosure window is 90 days from triage. Please reach out if you need an extension.

Machine-readable contact

See /.well-known/security.txt (RFC 9116).