Security Policy

Last updated: 3 May 2026

Thank you for helping keep Craftwebstudio secure. This page describes how to report a vulnerability and what to expect from us.

How to report

• Email: info@craftwebstudio.ge
• Contact form: /contact
• Public policy file (RFC 9116): /.well-known/security.txt

What to include

• A clear description of the vulnerability and its impact
• Reproduction steps (URL, payload, screenshots)
• Your contact info (for credit, if desired)

Our response timeline

• 72 hours — acknowledgement of receipt
• 7 days — initial triage and severity assessment
• 90 days — target remediation window (coordinated disclosure)

Scope

In scope:

• craftwebstudio.ge and its subdomains
• Admin surface: /admin/*
• Public APIs: /api/contact, /api/csp-report, /api/telegram/webhook, /api/webhooks/*

Out of scope:

• Third-party providers (Vercel, Neon, Upstash, Resend) — please report directly to the vendor
• Social engineering, physical attacks, DDoS
• Already-public CVEs in third-party libraries we depend on

Safe Harbor

If you conduct security research in good faith and within this policy, we will not pursue legal action against you. Please:

• Do not access or modify user data — use your own test accounts
• No DoS, large-scale brute force, or actual phishing
• Notify us first; only disclose publicly after we have remediated

Recognition

We do not run a paid bounty program. With your permission, we will publicly credit valid reports in the acknowledgements list at the bottom of this page.

Acknowledgements

Thanks to the researchers who have helped us — this list will appear after our first valid report.