Legal

Vulnerability Disclosure Policy

This policy sets out the terms on which Sitrava accepts good-faith security research and vulnerability reports. Practical reporting instructions and safe-testing boundaries are on the Security page.

Coordinated disclosure

Sitrava expects reporters to give reasonable time for investigation and remediation before public disclosure. Sitrava will coordinate timing with the reporter where possible.

No guarantee of bounty

Sitrava does not currently guarantee financial rewards for reports. Recognition may be offered on a case-by-case basis.

Legal safe harbour

Sitrava will not pursue good-faith researchers who comply with the safe-testing boundaries. This does not authorise activity that violates applicable law or third-party rights.