# Vulnerability Disclosure Policy (VDP)
It is our mission to keep our users safe online by providing secure products to protect them and maintain their privacy. Responsible disclosure of security vulnerabilities helps us ensure the security and privacy of our customers, 
partners and employees.
If you find any indications of a vulnerability in any of our systems, we encourage you to disclose your discovery to us as quickly as possible in accordance with this Responsible Disclosure Program.

# Expectations
- We will work with you to understand and validate your report, including a timely initial response to the submission,
- We will work to remediate discovered vulnerabilities in a timely manner,
- We will recognize your contribution and may reward you for high or critical issues reported to us.

# Scope
Scope of this vulnerability disclosure policy includes any service on our domains *.excello.cz, *.virusfree.cz and *.spamfree.cz, but not services that are hosted by third parties.

# Authorization
If you make a good faith effort to comply with this policy during your security research, we will consider your research to be:  
- Authorized in view of any applicable laws, and we will not initiate or support legal action against you for accidental, good faith violations of this policy, and we will not bring a claim against you for circumvention of 
technology controls,
- Lawful, helpful to the overall security of the Internet, and conducted in good faith.
You are expected, as always, to comply with all applicable laws. If legal action is initiated by a third party against you and you have complied with this policy, we will take steps to make it known that your actions were conducted 
in compliance with this policy. 
By submitting any information, you are granting Excello a perpetual, royalty-free and irrevocable right to use, reproduce, modify, adapt, publish, translate, distribute, transmit, publicly display, publicly perform, sublicense, 
create derivative works from, transfer and sell such information.

# Contact
You may submit your report to the email address indicated in the security.txt. We encourage you to use PGP in any case.

# Rules and guidelines
To avoid any confusion between legitimate research and malicious attack, we ask that you to:
- Handle the confidentiality of details of any discovered vulnerabilities according to our Vulnerability Disclosure Policy;
- Play by the rules. This includes following this policy any other relevant agreements;
- Avoid violating the privacy of others, disrupting our systems, destroying data, and/or harming user experience;
- Use only the Official Channels to discuss vulnerability information with us;
- Report any vulnerability you have discovered promptly;
- Perform activities only on in-scope systems, and respect systems and activities which are out-of-scope;
- Once you have established that a vulnerability exists or encountered any sensitive data (including personally identifiable information, financial information, or proprietary information or trade secrets of any party), you must stop 
your test, notify us immediately, and not disclose this data to anyone else;
- Do not engage in extortion;
- Do not submit a high volume of low-quality reports.

# Prohibited activities
The following activities are prohibited:
- Denial of service (incl resource-exhaustion, automated scanners with high loads, deleting data, fuzzing, etc),
- Spamming,
- Social engineering (including phishing, spear phishing, phishing, smishing),
- Physical access (including entering or surveilling properties),
- Attacking non-internet facing systems (internal networks, private IPs, workstations, etc),
- Installing persistent backdoors,
- Irreversible damage to systems and/or data corruption,
- Non-coordinated vulnerability disclosure.

# Issues out of scope
Issues without direct security impact, lack of hardening, or defense-in-depth measures are out of the scope of this VDP, in particular:
- Findings from physical testing such as office access (e.g. open doors, tailgating)
- Findings derived primarily from social engineering (e.g. phishing, vishing)
- Findings from applications or systems not listed in the `Scope` section
- UI and UX bugs and spelling mistakes
- Network level Denial of Service (DoS/DDoS) vulnerabilities
- Missing cookie flags and security headers
- Form spamming
We do not want to receive:
- Sensitive information, such as PII or financial information, both not originating from scope domains,
- Results from automated scanning tools.

# Legalities
This policy is designed to be compatible with common vulnerability disclosure good practice. It does not give you permission to act in any manner that is inconsistent with the law, or which might cause the organization or partner 
organizations to be in breach of any legal obligations.