01
In scope
salentosec.org and its subdomains (api.*, www, etc.); salentosec.org if active; salentosec.org/.well-known/*; endpoints exposed at /api/*. Application surface is small (PHP minimal) but it exists.
disclosure
Vulnerability Disclosure Policy
Last update: April 2026
If you found a vulnerability in our site or services, thank you. This page spells out how to report it, what to expect from us, and what is NOT authorized.
02
Out of scope
Third-party sites we link to (CTF platforms, OWASP, leccemeteo.it, etc.); social accounts (Telegram, Instagram, etc.); members' personal email accounts; intellisecsalento.it if not active; any vulnerability in users' browsers or systems.
03
What is NOT authorized
Tests that can impact service availability (DoS, DDoS, stress, mass brute-force). Mass data exfiltration even if accessible. Modifying other users' data or attempting to access accounts not yours. Phishing or social engineering against SalentoSec members. Public disclosure before patch and our authorization.
04
How to report
Email security@salentosec.org. Include: description, reproduction steps, estimated impact, PoC or screenshots, your handle if you want to be in Hall of Fame.
05
What to expect
Acknowledgment within 72 hours. Triage within 7 days. Status update every 14 days while open. Public credit (with your consent) in Hall of Fame after the fix. We do NOT offer monetary bounty: we are non-profit. If we ever have a budget, we will respect the chronological order of reporters.
06
Safe harbor
We commit NOT to pursue legal action against good-faith reporters following this policy. We will treat your actions as authorized under Italian law, provided you stayed within scope, caused no harm, and respected responsible disclosure.
Public file: /.well-known/security.txt
Hall of Fame
People who helped us close security issues.
No reports yet. We hope it stays that way as long as possible.