Security & responsible disclosure

1. Reporting a vulnerability

Please email hi@eevsec.com with the subject line "Security report". Include a clear description of the issue, the affected URL or component, the steps to reproduce it, and any proof-of-concept or screenshots. Our machine-readable contact details are published at /.well-known/security.txt.

2. Scope

This policy covers the website at eevsec.com and its subdomains. The CyberRange training platform itself is in pre-launch; when it opens, this policy will be extended to cover it. Findings in third-party services we use (for example our hosting, email, form, or analytics providers) should be reported to those providers, although we are happy to help route a report.

3. Safe harbour

We will not pursue legal action against researchers who act in good faith and follow this policy. To stay in scope, please: only test against your own data and accounts; do not access, modify, or destroy data that is not yours; do not run denial-of-service, spam, or social-engineering attacks; do not test physical security; and give us a reasonable time to fix an issue before disclosing it publicly.

4. Commonly out of scope

Reports that usually do not qualify include: missing security headers that can only be set at the hosting or CDN layer, rate-limiting on a static site, theoretical issues without a working proof of concept, vulnerabilities in outdated browsers, and automated-scanner output without analysis. We still welcome a note if you are unsure.

5. What to expect

We aim to acknowledge a report within a few business days, keep you updated as we investigate, and let you know when the issue is resolved. We do not currently run a paid bug-bounty programme, but we are grateful for responsible reports and are happy to credit you if you would like.

6. Contact