Security & Vulnerability Disclosure Policy

We sell security consulting — so we keep our own disclosure channels open and respond on a published clock.

Scope #

This policy covers the following assets under our control:

  • ctrlaltgrow.hr and any subdomain we publish
  • The corresponding API endpoints (e.g. /api/contact)
  • Cloudflare Pages Functions and config visible in production (HTTP headers, CSP, security.txt)
  • Our public PGP key and signed security.txt

Client infrastructure and business systems are not in scope unless a separate testing agreement says so. See Out of scope.

How to report #

Email security@ctrlaltgrow.hr. Plain email is fine for most reports.

For sensitive findings (working exploit, leaked data, credentials) please encrypt with our PGP key:

If email is unreachable for any reason, the contact form on the homepage is a safe fallback — describe the finding briefly and request a channel for full details.

What to include #

  • Short description of the vulnerability and potential impact
  • Exact URL or component affected
  • Reproduction steps (proof of concept, screenshot, request/response trace if applicable)
  • Your severity assessment (CVSS v3.1 if you use it — see SLAs)
  • How you'd like to be credited in the Hall of Fame — if at all

Please do not include real PII, real credentials, or third-party data — use test data you generate yourself.

Safe harbor #

If your research follows this policy in good faith, we will consider it authorized. To the extent that criminal prosecution depends on a private complaint by the injured party, Ctrl Alt Grow commits to not:

  • file a criminal complaint or request for prosecution under Articles 266–269 of the Croatian Criminal Code (unauthorized access to a computer system, system interference, damage to computer data, unlawful interception) for activities covered by this policy in their basic forms
  • pursue civil damages claims against researchers acting in good faith and within the scope of this policy
  • contact your employer or clients seeking retaliation

This protection applies only to in-scope assets (see Section 1) and to research that avoids deliberate harm, third-party data exfiltration, or public disclosure before our response.

Personal data. If you encounter personal data during testing, you must immediately stop testing on that endpoint, must not copy, store, or further process that data, and must notify Ctrl Alt Grow within 24 hours. Access to PII beyond the minimum required to demonstrate the vulnerability falls outside safe-harbor protection.

Legal note: qualified forms of the listed offences are prosecuted ex officio by the Croatian State Attorney's Office — we cannot rule that out unilaterally. For basic forms prosecuted on private complaint, our waiver is fully binding. We will unequivocally confirm authorized status of research that follows this policy if approached by any authority. Adapted from the disclose.io template under CC0.

Relationship with other policies. This policy governs responsible security disclosure and does not affect our Privacy Policy. Processing of personal data of researchers who submit reports is governed by our Privacy Policy.

Response SLAs #

Measured in business days (Mon–Fri, excluding Croatian public holidays):

  • 3 BD — acknowledgement from a human, not an autoresponder
  • 10 BD — initial triage with severity assessment and target remediation date
  • 30 BD — fix, mitigation, or reasoned WONTFIX decision

Severity follows CVSS v3.1 (Critical 9.0–10.0, High 7.0–8.9, Medium 4.0–6.9, Low 0.1–3.9). Critical findings supersede the SLA and are handled same-day.

Disclosure & credit #

We follow Coordinated Vulnerability Disclosure (CVD): finding details are not made public until a fix has shipped or a joint disclosure date is agreed.

Embargo is a safe-harbor condition. Default embargo is 90 days from initial report; the safe-harbor protection in Safe harbor applies only if the researcher honours that period. Extensions for complex remediations are available by written agreement.

Fallback if we don't respond. If Ctrl Alt Grow fails to deliver initial triage within 10 business days of acknowledgement (see Response SLAs), the researcher may unilaterally shorten the embargo to 30 days by written notice — and retains safe-harbor protection in that case.

If you want public credit, tell us how you'd like to be named. We publish accepted reports in the Hall of Fame once the fix has shipped. Anonymous reports are equally welcome.

Out of scope #

The following are not covered by this policy (reports are welcome, but safe harbor does not apply):

  • DDoS, stress testing, or any form of testing that affects service availability for other users
  • Social engineering of any employee, client, or partner, phishing, physical access
  • Spam or automated submission against /api/contact
  • Testing of third-party services we use (Cloudflare, Google Workspace, GitHub) — please use their own VDP programmes directly
  • Best-practice reports without demonstrated impact (e.g. “you don't have SPF DMARC reject” when we run quarantine)
  • Compromise of client systems — report to us, we coordinate with the client

Standards #

This policy is aligned with:

  • ISO/IEC 29147:2018 — Vulnerability disclosure
  • ISO/IEC 30111:2019 — Vulnerability handling processes
  • CERT/CC Guide to Coordinated Vulnerability Disclosure
  • RFC 9116 — A File Format to Aid in Security Vulnerability Disclosure (security.txt)

Metadata #

Back to homepage