Skip to main content
SECURITY DISCLOSURE

VulnerabilityDisclosure Policy

Responsible reporting channel for security issues affecting CreativDigital owned web properties.

Last updated: April 27, 2026

CREATIV DIGITAL AGENCY SRL welcomes good-faith vulnerability reports that help protect our website, users and infrastructure. This policy defines the authorized reporting process and the boundaries for safe testing.

1. Contact

Send security reports to security@creativdigital.ro.

If that mailbox is unavailable, use office@creativdigital.ro as the fallback contact.

Please include the affected URL, steps to reproduce, expected and actual behavior, impact, relevant screenshots or logs, and your preferred contact details for follow-up.

2. Scope

The following assets are in scope for this policy:

  • https://creativdigital.ro
  • https://www.creativdigital.ro

Third-party platforms, client systems, social media profiles, DNS providers, hosting providers and integrations not operated by CREATIV DIGITAL AGENCY SRL are outside this policy.

3. Allowed Research

  • -Review public pages and client-side behavior on creativdigital.ro.
  • -Report suspected vulnerabilities with clear reproduction steps and impact.
  • -Use only your own accounts, test data, browser session and network connection.
  • -Stop testing and report immediately if you access data that is not yours.

4. Prohibited Activity

  • -Denial of service, stress testing, spam, phishing or social engineering.
  • -Attempts to access, modify, delete, exfiltrate or persist third-party data.
  • -Physical attacks, employee targeting or attacks against vendors and clients.
  • -Automated high-volume scanning that degrades availability or creates noise.

5. Response and Disclosure

We aim to acknowledge valid reports within five business days and will share remediation updates when practical. Please do not publicly disclose a vulnerability before we have investigated and resolved it, unless we have given written permission.

CREATIV DIGITAL AGENCY SRL does not currently operate a paid bug bounty program. Reports are appreciated, but monetary rewards are not guaranteed or implied by this policy.

6. Good-Faith Safe Harbor

We will not pursue legal action against researchers who act in good faith, stay within this policy, avoid privacy violations and report vulnerabilities promptly. This does not authorize illegal activity or activity against third-party systems.

A machine-readable security contact is available at /.well-known/security.txt.