Security

Responsible disclosure policy

We welcome security researchers to help us keep EmailConnect secure. If you discover a vulnerability, please report it responsibly following the guidelines below.

How to report a vulnerability

What to expect

Scope

The following systems are in scope for security testing:

• emailconnect.eu — Marketing website
• app.emailconnect.eu — Application platform

Out of scope

The following are explicitly excluded from testing:

• Denial of Service (DoS/DDoS) attacks
• Social engineering or phishing of employees or users
• Physical security attacks
• Attacks against third-party services we use
• Automated vulnerability scanning without prior permission
• Spam or email bombing
• Any testing that could degrade service for other users

Safe harbor

If you follow this policy in good faith, we will not pursue legal action against you. We ask that you:

• Do not access or modify data belonging to other users
• Do not publicly disclose vulnerabilities before we've had a chance to fix them
• Act in good faith to avoid privacy violations and service disruption
• Only test against accounts you own or have explicit permission to test

Our security practices

Security headers

We implement industry-standard security headers including:

• Content Security Policy (CSP)
• X-Frame-Options to prevent clickjacking
• X-Content-Type-Options to prevent MIME sniffing
• Strict referrer policy
• Permissions policy restricting unnecessary browser APIs

Related resources