Last updated: June 2026
Castori Club welcomes reports from security researchers and members who discover vulnerabilities in our platform. This policy explains what is in scope, how to report a finding, and the commitments we make to researchers who act in good faith. It is the canonical policy referenced by our /.well-known/security.txt file (RFC 9116).
Email [email protected] with a clear description of the issue. Please include:
We accept reports in English or Portuguese. We aim to acknowledge a report within 3 business days and to provide a remediation timeline after triage.
In scope:
castori.club/apiOut of scope:
We consider security research and vulnerability disclosure conducted in accordance with this policy to be authorized. We will not pursue or support legal action against researchers who act in good faith, stay within the scope and rules above, and give us a reasonable opportunity to remediate before any public disclosure. If legal action is initiated by a third party against you for activity that complied with this policy, we will make this authorization known.
We follow coordinated disclosure. Once a report is triaged, we will keep you informed of remediation progress and, where appropriate, credit you for the discovery. We ask that public disclosure be coordinated with us and not occur before a fix has shipped.
Security reports and questions about this policy:
Machine-readable contact: https://castori.club/.well-known/security.txt
CDNCORE, S.A. · NIF PT 508 234 119
Parkurbis, Parque da Ciência e Tecnologia da Covilhã, 6200-865 Covilhã, Portugal