← Back to Home

Security & Vulnerability Disclosure Policy

Last updated: June 2026

Castori Club welcomes reports from security researchers and members who discover vulnerabilities in our platform. This policy explains what is in scope, how to report a finding, and the commitments we make to researchers who act in good faith. It is the canonical policy referenced by our /.well-known/security.txt file (RFC 9116).

1. How to Report

Email [email protected] with a clear description of the issue. Please include:

We accept reports in English or Portuguese. We aim to acknowledge a report within 3 business days and to provide a remediation timeline after triage.

2. Scope

In scope:

Out of scope:

3. Rules of Engagement

4. Safe Harbor

We consider security research and vulnerability disclosure conducted in accordance with this policy to be authorized. We will not pursue or support legal action against researchers who act in good faith, stay within the scope and rules above, and give us a reasonable opportunity to remediate before any public disclosure. If legal action is initiated by a third party against you for activity that complied with this policy, we will make this authorization known.

5. Coordinated Disclosure

We follow coordinated disclosure. Once a report is triaged, we will keep you informed of remediation progress and, where appropriate, credit you for the discovery. We ask that public disclosure be coordinated with us and not occur before a fix has shipped.

6. Contact

Security reports and questions about this policy:

[email protected]

Machine-readable contact: https://castori.club/.well-known/security.txt

CDNCORE, S.A. · NIF PT 508 234 119

Parkurbis, Parque da Ciência e Tecnologia da Covilhã, 6200-865 Covilhã, Portugal