Vulnerability Disclosure Policy

We at Railsformers are committed to protecting our users’ data and maintaining the security of our services.

We encourage security researchers to responsibly report vulnerabilities to us.

Scope

This policy applies to:

• All web services under *.reservatic.com
• All web services under *.hedurio.com
• All web services under *.sucto.cz
• All web services under *.per-rollam.com
• All web services under *.rainbowtours.cz and *.rainbowtours.sk
• Reservatic mobile applications (iOS, Android)
• Hedurio mobile applications (iOS, Android)
• NATO Days mobile applications (iOS, Android)
• Related APIs and infrastructure operated by Railsformers

Out of scope

• Third-party services not operated by Railsformers
• Social engineering attacks
• Denial of Service testing

Reporting

• Please report security issues to: security@railsformers.com
• For secure communication, use our PGP key

Guidelines

• Do not exploit vulnerabilities beyond what is necessary to prove the issue.
• Do not access, modify, or delete data belonging to others.
• Do not disrupt services or degrade performance.

Our Commitment

• We will acknowledge your report within 7 days.
• We aim to provide updates and resolve valid issues within 90 days.
• We will credit you in our acknowledgments (Hall of Fame, unless you prefer anonymity).
• We will not pursue legal action if you comply with this policy (safe harbor).

No Bug Bounty

Please note that this is not a paid bug bounty program. We highly appreciate your contributions to security.