Trust

Responsible Disclosure Policy

We welcome vulnerability reports and commit to fair, timely, and transparent handling. Your work protects our customers and the wider community.

How to report
  • Emailnp@creativeground.dk
  • Encrypt with our PGP key
  • Include steps to reproduce, impact, affected versions, and a contact handle.
  • We acknowledge within 3 business days and share a tracking ID.
Safe harbor

We won’t pursue legal action for good-faith research that avoids privacy violations, service degradation, or data exfiltration beyond what’s necessary to demonstrate impact.

Please do not access customer data, pivot to third parties, or run destructive tooling.

Target timelines
  • Triage & acknowledgement: within 3 business days
  • Initial assessment: within 10 business days
  • Fix or mitigation target: 90 days (severity-dependent)
  • Coordinated public disclosure after fix or by mutual agreement
Out of scope
  • Denial-of-service and volumetric attacks
  • Clickjacking on pages without sensitive actions
  • User enumeration without impact
  • Reports without a clear security impact

Also published at

/.well-known/security.txt with contact details, PGP, and acknowledgements URL.
Get PGP keySee advisories

Thank you

Researchers keep our customers safer

We credit contributions publicly (with consent) and coordinate timelines that protect users first.

Contact security teamTransparency & CVE research