Vulnerability Disclosure Policy

Scope

This policy applies to the following assets owned and operated by Callisto Grand s.r.o.:

callistogrand.com — primary website and all subdomains
API endpoints served under callistogrand.com/api/*

Third-party services we use (e.g. HubSpot, Stripe, Pretix) are out of scope. Please report vulnerabilities in those services directly to the respective vendor.

How to Report

Please send vulnerability reports to security@callistogrand.com. Include the following information to help us reproduce and assess the issue:

A description of the vulnerability and its potential impact
Step-by-step reproduction instructions
Any affected URLs, parameters, or endpoints
Your IP address or user agent (so we can review logs)
Screenshots or proof-of-concept code where applicable

PGP encryption (optional):

You may encrypt your report using our PGP public key.

Response SLA

Stage	Target
Initial acknowledgement	≤ 5 business days
Triage & severity assessment	≤ 10 business days
Critical / High severity fix	≤ 30 calendar days
Medium / Low severity fix	≤ 90 calendar days
Coordinated public disclosure	After fix deployed, or 90 days (whichever first)

In-Scope Vulnerabilities

Cross-site scripting (XSS)
Cross-site request forgery (CSRF)
SQL injection
Server-side request forgery (SSRF)
Authentication or authorisation bypass
Sensitive data exposure (PII leakage, credentials in responses)
Remote code execution (RCE)
Directory traversal / path traversal
Business logic flaws with security impact

Out of Scope

Denial-of-service (DoS/DDoS) attacks — do not test
Social engineering or phishing of staff
Physical security
Automated scanning without prior written approval
Vulnerabilities in third-party services we integrate with
Missing security headers that do not lead to exploitable impact
SPF/DKIM/DMARC configuration (informational only)
Clickjacking on pages with no sensitive actions

Safe Harbour

We consider security research conducted in accordance with this policy to be:

Authorised under applicable anti-hacking laws
Exempt from DMCA restrictions on circumvention of security controls
Lawful and conducted in good faith

We will not pursue legal action against researchers who comply with this policy. We ask that you make a good-faith effort to avoid privacy violations, data destruction, and service disruption during your research.

Acknowledgements

We believe in recognising the efforts of security researchers. With your permission, we will publicly list your name or handle in our security acknowledgements.

At this time, Callisto Grand does not operate a paid bug bounty programme. We may consider establishing one in the future based on the volume and nature of reports received.

Contact

Security reports:

security@callistogrand.com

Machine-readable policy:

/.well-known/security.txt (RFC 9116)

Scope

This policy applies to the following assets owned and operated by Callisto Grand s.r.o.:

callistogrand.com — primary website and all subdomains

API endpoints served under callistogrand.com/api/*

Third-party services we use (e.g. HubSpot, Stripe, Pretix) are out of scope. Please report vulnerabilities in those services directly to the respective vendor.

How to Report

Please send vulnerability reports to security@callistogrand.com. Include the following information to help us reproduce and assess the issue:

A description of the vulnerability and its potential impact

Step-by-step reproduction instructions

Any affected URLs, parameters, or endpoints

Your IP address or user agent (so we can review logs)

Screenshots or proof-of-concept code where applicable

PGP encryption (optional):

You may encrypt your report using our PGP public key.

Stage

Target

Initial acknowledgement

≤ 5 business days

Triage & severity assessment

≤ 10 business days

Critical / High severity fix

≤ 30 calendar days

Medium / Low severity fix

≤ 90 calendar days

Coordinated public disclosure

After fix deployed, or 90 days (whichever first)

In-Scope Vulnerabilities

Cross-site scripting (XSS)

Cross-site request forgery (CSRF)

SQL injection

Server-side request forgery (SSRF)

Authentication or authorisation bypass

Sensitive data exposure (PII leakage, credentials in responses)

Remote code execution (RCE)

Directory traversal / path traversal

Business logic flaws with security impact

Out of Scope

Denial-of-service (DoS/DDoS) attacks — do not test

Social engineering or phishing of staff

Physical security

Automated scanning without prior written approval

Vulnerabilities in third-party services we integrate with

Missing security headers that do not lead to exploitable impact

SPF/DKIM/DMARC configuration (informational only)

Clickjacking on pages with no sensitive actions

Safe Harbour

We consider security research conducted in accordance with this policy to be:

Authorised under applicable anti-hacking laws
Exempt from DMCA restrictions on circumvention of security controls
Lawful and conducted in good faith

Acknowledgements

We believe in recognising the efforts of security researchers. With your permission, we will publicly list your name or handle in our security acknowledgements.

At this time, Callisto Grand does not operate a paid bug bounty programme. We may consider establishing one in the future based on the volume and nature of reports received.