NEW: CRA vulnerability reporting begins 11 September 2026 — is your product ready? Check now →

Security policy

Reporting a security issue

We follow the same coordinated-vulnerability-disclosure approach we recommend to our readers. Report responsibly; we'll acknowledge quickly and remediate transparently.

How to report

Email [email protected]. PGP key available on request. Please include reproduction steps and any proof-of-concept needed to verify the finding. The same address is published in our /.well-known/security.txt.

What to expect

  • Acknowledgement within 3 business days.
  • Triage with severity assessment within 7 business days.
  • Target remediation within 90 days for high/critical, 180 days for medium.
  • Public credit in our security advisories, if you'd like it.

Scope

  • In scope: the cra-experts.com web application, the lead-form Pages Function, and our paid tools when launched.
  • Out of scope: third-party services we link to (ENISA, EUR-Lex, etc.) and standard vulnerability scanners' findings without a working exploit path.

Things we'd rather you don't do

  • Run automated load tests or scanners that materially affect availability.
  • Access, modify, or exfiltrate data that doesn't belong to you.
  • Publicly disclose before we've had a reasonable chance to fix.

Safe-harbour

Good-faith research consistent with this policy is welcome and authorised. We won't pursue legal action against researchers who follow it.