Security

Vulnerability Disclosure Policy

Last updated: 05.05.2026

CYBERSKILL SRL (the “Organizer”) takes the security of www.theaiminds.ro seriously. This page describes how to report a vulnerability responsibly and what you can expect from us in return.

1. How to report

  • Email contact@theaiminds.ro with subject prefix [SECURITY].
  • Include: affected URL or endpoint, a clear reproduction (steps, payload, request/response), expected vs. observed behavior, and the impact you believe it has.
  • If sensitive, encrypt with our PGP key (see Encryption field in /.well-known/security.txt) — currently optional; we reply in clear if no key is provided.
  • Do not open public GitHub issues, social-media threads, or press inquiries before we’ve had a chance to respond.

2. Scope

The following assets are in scope:

  • theaiminds.ro, www.theaiminds.ro and any subdomain operated directly by the Organizer.
  • The ticketing flow, admin panel authentication, Stripe webhook endpoint, scanner and check-in endpoints.
  • Email confirmation flow (links, tokens, unsubscribe).

The following are out of scope:

  • Third-party services we integrate with (Stripe, Google Workspace SMTP, Cloudflare). Report those to the vendor.
  • Findings that require physical access, social engineering of staff or volunteers, or theft of attendee credentials.
  • Denial-of-service, volumetric attacks, traffic flooding.
  • Reports based purely on missing best-practice headers, version disclosure, or scanner output without demonstrable impact.
  • Self-XSS, clickjacking on pages without sensitive actions, missing cookie flags on non-auth cookies.
  • Findings only reproducible on outdated browsers (>2 versions behind current stable).

3. Safe harbor

If you act in good faith and stay within this policy, the Organizer:

  • Will not pursue or support legal action against you.
  • Will treat your report as authorized testing under Romanian Law 161/2003 art. 42 and the EU NIS2 framework, to the extent allowed.
  • Will work with you on coordinated disclosure.

Good faith means: only test accounts you own, never exfiltrate data beyond the minimum needed to prove the issue, do not pivot or persist, do not modify or destroy data, do not impact other users.

4. Disclosure timeline

  • Acknowledgement: within 5 business days.
  • Triage / severity decision: within 10 business days.
  • Fix or mitigation: Critical — 7 days, High — 30 days, Medium — 60 days, Low — 90 days. Best-effort, may extend with mutual agreement.
  • Public disclosure: coordinated, typically 90 days from initial report or upon fix — whichever comes first. Earlier release on mutual agreement.

5. Acknowledgments

For valid, in-scope reports we will publicly thank the reporter on this page (with consent), unless you prefer to remain anonymous. There is currently no monetary bug bounty; this is a coordinated disclosure program.

6. Hall of fame

No reports yet. Be the first.

7. Out-of-scope payloads we reject

  • Automated scanner output without manual validation.
  • SPF/DKIM/DMARC findings on aliases not used for outbound mail.
  • Open-redirect on locale switch endpoints when redirect target is restricted to ro|en.
  • Vulnerabilities in cgi-bin/ default scripts shipped by the cPanel host (out of our control — report to host).

8. Contact

Email: contact@theaiminds.ro · Preferred languages: ro, en

This document is the Policy: referenced in our /.well-known/security.txt.