Responsible Disclosure Policy

This policy applies to security vulnerabilities discovered in ecodia's web application, mobile applications, and public-facing APIs. Infrastructure and services operated by third-party providers are excluded from this scope unless the vulnerability directly affects ecodia user data. We encourage researchers to focus on issues that have a meaningful impact on the security or privacy of our users.

Please report security vulnerabilities to security@ecodia.app with a detailed description of the issue, steps to reproduce, and any supporting evidence such as screenshots or proof-of-concept code. Include your contact information so we can follow up with questions or updates. We aim to acknowledge all reports within 48 hours and provide an initial assessment within 5 business days.

We ask that you do not access, modify, or delete data belonging to other users during your research. Please avoid automated scanning or testing that could degrade the performance or availability of our services. Give us reasonable time to investigate and address the vulnerability before disclosing it publicly, and coordinate any public disclosure with our security team.

We will work with you in good faith to understand and resolve reported vulnerabilities as quickly as possible. Researchers who report valid, previously unknown vulnerabilities may be eligible for recognition on our security acknowledgements page. We are committed to keeping you informed of our progress in addressing the reported issue throughout the remediation process.

The following are excluded from this policy: denial-of-service attacks, social engineering or phishing of ecodia staff or users, and physical security testing of ecodia offices or data centres. Reports of missing security headers, SSL configuration issues, or other low-severity informational findings without a demonstrated security impact are generally out of scope. We reserve the right to determine whether a reported issue qualifies under this policy.

ecodia will not pursue legal action against security researchers who discover and report vulnerabilities in good faith and in compliance with this policy. We consider security research conducted under this policy to be authorised and will not initiate legal proceedings against you for circumventing technology controls in the course of your research. This safe harbour applies only to legal claims under our control and does not bind independent third parties.