Coordinated vulnerability disclosure

What to include

• A clear description of the issue and its potential impact.
• Reproduction steps a developer can follow — including the URL, request payload, and any account you used.
• Any proof-of-concept code, screenshots, or videos. Keep them minimal — just enough to demonstrate the bug.
• Your name or handle if you'd like to be credited; otherwise we'll handle the report anonymously.

Scope

Anything we own and operate is in scope:

• eyou.social and its subdomains
• The eYou mobile apps (iOS and Android)
• Our public API endpoints under api.eyou.social

Out of scope: third-party services we depend on but don't operate (cloud infrastructure, email delivery providers, analytics vendors), social engineering of staff, physical attacks, denial-of-service tests, automated scanners that generate volume against our systems, and any activity that would access or modify other users' data without consent.

Safe harbor

We will not initiate or recommend legal action against researchers who report vulnerabilities in good faith and in accordance with this policy. We consider research conducted under this policy to be:

• Authorized, with respect to applicable anti-hacking laws.
• Exempt from restrictions in our Terms of Service that would otherwise prohibit testing.
• Conducted with our consent, for the purpose of vulnerability research.

This protection extends only to activities within the scope above and that follow the "what we ask" section below.

What we ask of you

• Don't access, modify, or download data beyond what's needed to demonstrate the issue.
• If you encounter user data, stop immediately and tell us in your report.
• Don't degrade or interrupt our service. No DoS, no vulnerability scanning that generates significant load.
• Give us a reasonable window to fix the issue before public disclosure. Our default expectation is 90 days from your initial report, or earlier by mutual agreement.
• Don't publicly disclose, sell, or trade the vulnerability before the coordinated window closes.

What we commit to

• We aim to acknowledge your report within 7 days.
• We aim to triage and assign a severity within 30 days.
• Keep you informed of progress at reasonable intervals.
• Notify you when the issue is resolved and coordinate any public disclosure with you.
• Credit you publicly (with your permission) once a fix is live.

Out-of-scope findings

To save everyone's time, the following are generally not considered security vulnerabilities and don't need to be reported:

• Missing or misconfigured HTTP security headers without a demonstrable exploit.
• Reports from automated scanners without a working proof-of-concept.
• Self-XSS or issues that require physical access to an unlocked device.
• Lack of rate limiting on non-sensitive endpoints.
• Software version disclosure in HTTP headers or pages.
• Issues in third-party services we don't operate.
• Social engineering, phishing, or attacks targeting our staff.

Rewards

We don't currently run a paid bug bounty program. We're happy to acknowledge researchers publicly on this page, in release notes, or in our public communications when an issue is fixed. If you'd prefer to stay anonymous, just let us know. We have no obligation to provide compensation, and any acknowledgment is at our discretion.

Legal terms

The following terms protect both you and us. They apply alongside the safe-harbor commitment above.

No coercion

Disclosure must not be conditional on payment, equity, services, employment, or any other consideration we have not publicly offered. Any communication that threatens public release, sale to a third party, or other harm unless a demand is met falls outside this policy and outside the safe-harbor protections above. We will treat such communications as extortion and respond accordingly.

Confidentiality

You agree to keep vulnerability details confidential until we have remediated the issue or you have received our written approval to disclose, whichever comes first. You may not share details with third parties — including vulnerability brokers, the press, or private research groups — during the coordinated-disclosure window.

Handling of personal data

If your research causes you to encounter personal data belonging to our users — including but not limited to email addresses, IP addresses, names, content, or device identifiers — you must:

• Stop testing immediately and tell us in your report.
• Not store, copy, transmit, or share the data with anyone outside this disclosure channel.
• Delete any data you collected as soon as we acknowledge the report.
• Provide proof of deletion if we ask for it.

Failure to comply with this section may expose you to liability under the General Data Protection Regulation (EU 2016/679) and the Croatian Data Protection Act, neither of which we can waive on your behalf.

Compliance with applicable laws

Safe harbor applies only to research conducted in good faith and in compliance with all applicable laws — including the GDPR, the Croatian Criminal Code, and equivalent legislation in your own jurisdiction. We cannot authorize conduct that is unlawful under those laws.

Non-disclosure agreements

We will generally not sign non-disclosure agreements covering vulnerability reports. The coordinated-disclosure terms in this policy are the framework we operate under.

Discretion and modification

We determine, in our sole reasonable discretion, whether a report qualifies under this policy. We may update this policy at any time; the version published at this URL governs.

Governing law

This policy is governed by the laws of the Republic of Croatia. Any dispute arising under it shall be brought before the competent courts of Zagreb, Croatia. Nothing in this policy limits any non-waivable rights you may have under your local law.