Vulnerability Disclosure
Responsible disclosure policy
We value the work of security researchers and the wider community in keeping Conferences.Center safe. If you believe you have found a security vulnerability, we want to hear from you — and we commit to working with you in good faith to resolve it.
Good-faith safe harbor
If you make a good-faith effort to follow this policy, we will treat your research as authorized. We will not pursue or support legal action against you for accidental, good-faith violations, and we will work with you to resolve the issue promptly.
Acknowledgement window
We aim to acknowledge new reports within 3 business days and to share triage and remediation timelines as we investigate. We will keep you informed through resolution.
Scope
In scope
- The Conferences.Center web application and its public API
- Authentication, authorization, and tenant-isolation flaws
- Injection, XSS, SSRF, CSRF, and similar application vulnerabilities
- Sensitive data exposure and insecure direct object references
Out of scope
- Denial-of-service (DoS/DDoS) and volumetric or brute-force attacks
- Social engineering, phishing, or physical attacks against staff or users
- Reports from automated scanners without a demonstrated, exploitable impact
- Findings on third-party services (report those to the provider directly)
How to report
Email security@conferences.center with:
- • A clear description of the issue and its potential impact
- • Step-by-step instructions to reproduce it
- • Affected URLs, endpoints, or components
- • Any proof-of-concept, logs, or screenshots (no real user data)
- • How we can reach you for follow-up
Please do
- Report as soon as you can after discovery, with clear reproduction steps
- Give us reasonable time to investigate and remediate before public disclosure
- Only interact with accounts you own or have explicit permission to test
- Stop and report immediately if you encounter another user's data
Please do not
- Do not access, modify, download, or exfiltrate data that is not yours
- Do not run denial-of-service tests or degrade service availability
- Do not spam, socially engineer, or physically target our team or users
- Do not publicly disclose an issue before we have coordinated a fix
Coordinated disclosure
We practice coordinated disclosure. We ask that you give us a reasonable opportunity to investigate and remediate before disclosing an issue publicly, and we commit to working with you on a disclosure timeline. Once a fix is in place, we are happy to publicly credit your contribution if you would like recognition.
Frequently asked questions
Do you offer a safe harbor for security research?
Yes. If you make a good-faith effort to comply with this policy, we consider your research authorized, will not pursue or support legal action against you for it, and will work with you to understand and resolve the issue quickly.
How quickly will you respond?
We aim to acknowledge new reports within 3 business days and to provide a substantive update on triage and remediation timelines as we investigate. Complex issues may take longer to fully resolve.
Do you pay bug bounties?
We do not currently operate a paid bug bounty program. We gratefully acknowledge researchers who responsibly report valid issues and, with your permission, will credit your contribution.