Vulnerability Disclosure

Responsible disclosure policy

We value the work of security researchers and the wider community in keeping Conferences.Center safe. If you believe you have found a security vulnerability, we want to hear from you — and we commit to working with you in good faith to resolve it.

Good-faith safe harbor

If you make a good-faith effort to follow this policy, we will treat your research as authorized. We will not pursue or support legal action against you for accidental, good-faith violations, and we will work with you to resolve the issue promptly.

Acknowledgement window

We aim to acknowledge new reports within 3 business days and to share triage and remediation timelines as we investigate. We will keep you informed through resolution.

Scope

In scope

  • The Conferences.Center web application and its public API
  • Authentication, authorization, and tenant-isolation flaws
  • Injection, XSS, SSRF, CSRF, and similar application vulnerabilities
  • Sensitive data exposure and insecure direct object references

Out of scope

  • Denial-of-service (DoS/DDoS) and volumetric or brute-force attacks
  • Social engineering, phishing, or physical attacks against staff or users
  • Reports from automated scanners without a demonstrated, exploitable impact
  • Findings on third-party services (report those to the provider directly)

How to report

Email security@conferences.center with:

  • • A clear description of the issue and its potential impact
  • • Step-by-step instructions to reproduce it
  • • Affected URLs, endpoints, or components
  • • Any proof-of-concept, logs, or screenshots (no real user data)
  • • How we can reach you for follow-up

Please do

  • Report as soon as you can after discovery, with clear reproduction steps
  • Give us reasonable time to investigate and remediate before public disclosure
  • Only interact with accounts you own or have explicit permission to test
  • Stop and report immediately if you encounter another user's data

Please do not

  • Do not access, modify, download, or exfiltrate data that is not yours
  • Do not run denial-of-service tests or degrade service availability
  • Do not spam, socially engineer, or physically target our team or users
  • Do not publicly disclose an issue before we have coordinated a fix

Coordinated disclosure

We practice coordinated disclosure. We ask that you give us a reasonable opportunity to investigate and remediate before disclosing an issue publicly, and we commit to working with you on a disclosure timeline. Once a fix is in place, we are happy to publicly credit your contribution if you would like recognition.

Frequently asked questions

Do you offer a safe harbor for security research?

Yes. If you make a good-faith effort to comply with this policy, we consider your research authorized, will not pursue or support legal action against you for it, and will work with you to understand and resolve the issue quickly.

How quickly will you respond?

We aim to acknowledge new reports within 3 business days and to provide a substantive update on triage and remediation timelines as we investigate. Complex issues may take longer to fully resolve.

Do you pay bug bounties?

We do not currently operate a paid bug bounty program. We gratefully acknowledge researchers who responsibly report valid issues and, with your permission, will credit your contribution.