Privacy Policy

We appreciate security researchers who help keep Ecodia and our community safe. This Responsible Disclosure policy explains how to report vulnerabilities to us safely and what you can expect in return.

We aim to work with you in good faith to remediate valid issues quickly, protect users' data, and recognise meaningful contributions.

In scope:

• Public Ecodia web apps and APIs under the ecodia.au and subdomains we operate.
• Mobile apps and backend services owned and operated by Ecodia.
• Third‑party services only where explicitly stated on our Subprocessors page as in-scope for testing.

Out of scope: customer‑owned content or infrastructure, partner systems, and any domain or app not owned by Ecodia.

• Act in good faith and avoid privacy violations, data destruction, or service disruption.
• No ransom, extortion, or threats of disclosure.
• Do not access more data than necessary to demonstrate the issue; avoid exfiltrating personal data.
• Use test accounts where possible; do not impact other users.
• Give us reasonable time to remediate before public disclosure (see “Triage & SLAs”).

• No DDoS, spam, brute force, or volumetric attacks.
• No physical security testing, social engineering, or phishing of Ecodia staff or users.
• No automated scanning that degrades service for others.
• Only interact with your own accounts or assets you control.
• Avoid adding or modifying records in production data; use clearly marked test data.

Send reports to connect@ecodia.au. Include:

• A clear, reproducible description of the issue and its impact.
• Proof‑of‑concept steps or minimal exploit code (no destructive payloads).
• Affected hosts/URLs, account type used, and request/response samples (headers redacted where appropriate).
• Any logs, screenshots, or videos that help us reproduce.

If your report contains sensitive details, request our PGP key in your initial email.

We will not pursue civil action or report to law enforcement for good‑faith research that complies with this policy. This safe harbor does not extend to actions that are unlawful or that violate the rules herein, including exfiltrating personal data, extortion, or disruption.

If a third party initiates legal action and you have complied with this policy, we will make this authorisation known.

Our process & target timelines (business days):

• Acknowledgement: within 2 days.
• Initial triage: within 5 days (severity & scope confirmation).
• Fix window: Critical ≤ 14 days; High ≤ 30 days; Medium ≤ 60 days; Low as scheduled.
• We’ll keep you updated at key milestones and request re‑test/validation where appropriate.

Coordinated disclosure: please do not publicly disclose before a fix or 30 days (whichever is sooner) unless we agree otherwise.

• Clickjacking on pages with no sensitive actions.
• Self‑XSS or issues requiring user-installed malware or physical access.
• Use of outdated user agents, non‑default browser settings, or speculative attacks (e.g., DoS via large payloads without impact).
• Rate‑limit or brute‑force findings without proven impact and without bypass.
• Best‑practice recommendations without a demonstrable security impact.

• Protect user privacy: do not access, store, or share personal data beyond what is strictly necessary to demonstrate the issue.
• If you encounter personal data, stop testing, do not copy it, and delete any local copies after reporting.
• Comply with applicable laws; nothing in this policy permits unlawful activity.

We value your time. While we don’t currently run a paid bug bounty program, we offer recognition on our Hall of Thanks for valid, impactful reports and may provide discretionary swag or goodwill rewards.

• Quality matters: clear impact analysis, minimal repro, and safe handling are more likely to be recognised.
• Duplicates are credited to the first reporter with a complete, reproducible submission.

Email: connect@ecodia.au • PGP available on request.

For privacy incidents affecting individuals, also see our Privacy Policy and DPA (for controllers).