Security Disclosure Policy

How to report

Email security@elewatt.eu with:

• A clear description of the issue and its impact
• Steps to reproduce, or a working proof-of-concept
• The affected URL or endpoint
• Any relevant screenshots, logs, or HTTP requests

In scope

The production application at elewatt.eu.

Out of scope

• Denial-of-service, volumetric, or load-testing attacks
• Social engineering of staff, users, or contractors
• Physical attacks or attacks requiring physical access
• Automated scanner output without a working proof-of-concept demonstrating real impact
• Missing security headers, weak TLS configurations, or best-practice recommendations without a demonstrable exploit path
• Issues in third-party services we rely on (e.g. Vercel, Google OAuth) — please report those directly to the vendor
• Self-XSS, clickjacking on pages with no sensitive actions, CSRF on non-state-changing endpoints
• Reports of outdated software versions without a demonstrated vulnerability

Rewards and recognition

Elewatt is a free service and we do not operate a paid bug bounty program. We will acknowledge valid reports and, with your permission, can credit you publicly as the reporter once the issue is resolved.

Safe harbor

We will not pursue legal action against researchers who act in good faith, comply with this policy, and avoid privacy violations, service disruption, or data destruction. Please give us a reasonable time to investigate and remediate before any public disclosure.

What to expect

Elewatt is maintained by a small team, so responses are best effort. We'll review every report and follow up once we have assessed the finding. Please do not access, modify, or exfiltrate data beyond the minimum needed to demonstrate the issue.