Vulnerability Disclosure Policy (VDP)
CYBERMOOV encourages the responsible disclosure of security vulnerabilities affecting its services and website.
We value the contributions of independent researchers in improving security and resilience.
We also value the responsible disclosure of security vulnerabilities affecting stakeholders for who we work in the maritime, port, aviation, space, transportation, critical sectors and regional players. While they are not eligible to any compensation or reward by us, we will make our best to report it to the proper organizations.
If a disclosure fully complies with this policy, we commit not to pursue legal action against the reporter and to treat all submissions in good faith.
Program Terms
Your participation is voluntary and subject to these Program Terms.
By submitting a report, you agree that you have read and accepted them.
- Do not modify, delete, or access data beyond what is required to demonstrate the vulnerability.
- Do not disrupt, degrade, or attempt denial-of-service attacks on our systems.
- Limit testing to non-destructive, ethical methods within the declared scope.
Scope
In-scope domain:
cybermoov.eu — Static webpage
Only the above domain and its direct web application components are covered by this policy.
Out-of-Scope Infrastructure Issues (Managed by OVH)
Infrastructure and platform vulnerabilities related to the hosting provider are not in scope and should be reported directly to OVH.
- TLS / SSL certificate configuration or renewal for OVH-managed endpoints
- Server or database certificates issued and maintained by OVH
- Open ports, network exposure, or firewall configuration at the OVH level
- HTTP, Apache, OpenSSL or PHP misconfigurations controlled by OVH
- File-system isolation, kernel, virtualization, or DDoS infrastructure
- OVH customer panel, API, or DNS platform vulnerabilities
→ Report such issues directly to OVH:
📧 abuse@ovh.net — 🔗 https://www.ovh.com/abuse/
Response Targets
| Type of Response | Target (business days) |
|---|
| First acknowledgment | 2 |
| Initial triage | 10 |
| Resolution | Varies by severity and complexity |
Eligibility Requirements
To qualify for protection under this policy, you must:
- Contact us via our contact form or security@cybermoov.eu and wait for approval.
- Be at least 16 years old (minors require parental consent).
- Not be employed by CYBERMOOV or its business partners, or to hunt for vulnerabilities to further promote business.
- Not act on behalf of a professional cybersecurity company without authorization.
- Comply with all applicable laws and regulations.
Disclosure Guidelines
- Do not publicly disclose or share details of vulnerabilities before resolution.
- Provide sufficient information for reproduction (steps, screenshots, PoC, logs).
- Use your own accounts or test data only.
- Employ non-destructive testing methods (read-only requests).
Violation of these rules may result in immediate disqualification from the program.
Qualifying Vulnerabilities
Reports should demonstrate real impact on confidentiality, integrity, or availability. Examples include:
- Authentication or authorization flaws
- Server-side or remote code execution (RCE)
- Injection vulnerabilities (SQL, XML, etc.)
- Directory traversal or privilege escalation
- Exposure of sensitive or personal information
- Significant security misconfigurations with demonstrable risk
Non-qualifying Vulnerabilities
Not eligible for this program:
- Out-of-scope or third-party domains
- Client-side browser bugs
- XSS, CSRF, clickjacking, or open redirect (unless leading to data loss)
- Automated scanner output or theoretical issues
- DDoS, brute-force, or social-engineering attacks
- Minor misconfigurations, missing headers, or outdated CVEs without exploitability
- Issues in third-party CDN, analytics, or library code
Submission Requirements
Each submission must include:
- Description of the vulnerability and its impact
- Steps to reproduce (URLs, parameters, affected components)
- HTTP request / response samples or logs
- Timestamps and IP addresses used for testing
- Evidence such as screenshots, code, or videos
Authorized actions include harmless diagnostic tests (whoami, hostname) or benign uploads.
Unauthorized actions include data modification, shell upload, persistent access, or service disruption.
Recognition and Rewards
Researchers may receive public acknowledgment in our Hall of Fame.
No guarantee of publication is implied.
Ownership and License
By submitting a report, you grant CYBERMOOV a perpetual, royalty-free, worldwide license to use and publish the information for defensive and educational purposes.
Confidentiality
Information accessed or obtained during testing must remain confidential and used only for reporting.
Unauthorized disclosure will result in immediate exclusion from the program.
Termination
Participation may be revoked if you:
- Breach these terms or act unethically
- Threaten, blackmail, or harass staff
- Publicly disclose or misuse confidential information
Indemnification
You agree to hold CYBERMOOV harmless from any third-party claims arising from your actions, reports, or violations of this policy.
Policy Updates
This policy may be modified or discontinued at any time.
The latest version is available at
https://cybermoov.eu/security-policy.html.