# Cittopia security disclosure # RFC 9116 — https://datatracker.ietf.org/doc/html/rfc9116 # # If you have discovered a vulnerability or security concern affecting # cittopia.com, please report it to us via one of the channels below. # We commit to acknowledging within 5 working days and to keeping you # informed of our remediation timeline. Contact: mailto:security@cittopia.com Contact: mailto:tunc@cittopia.com Expires: 2027-05-12T00:00:00.000Z Preferred-Languages: en, pl, tr Canonical: https://cittopia.com/.well-known/security.txt Policy: https://cittopia.com/security Acknowledgments: https://cittopia.com/security#thanks # Out-of-scope reports (please direct to the appropriate channel): # - Spam / abuse from cittopia.com: mailto:abuse@cittopia.com # - Privacy / GDPR data requests: mailto:privacy@cittopia.com # - Press inquiries: mailto:press@cittopia.com # - Partnership inquiries: mailto:partnerships@cittopia.com # - Methodology critique (The Pulse): mailto:methodology@cittopia.com # - Legal / contractual: mailto:legal@cittopia.com # # What we cover under coordinated disclosure: # - Authentication & session management vulnerabilities # - Cross-site scripting (XSS), CSRF, SQL injection # - Server-side request forgery (SSRF), path traversal # - Privilege escalation between admin tiers (Citizens / District / City / Regional / Super) # - Information disclosure beyond intended audience # - Anti-bot/anti-spam bypass affecting public forms (Wall, Agora, Bring-your-city) # # What we do not cover (please don't report — we already know): # - Demo-grade client-side authentication (auth-gate.js) — explicitly known, # scheduled for replacement by server-side auth in Q3 2026 per the public roadmap # - Findings from automated scanners without proof of exploitability # - Theoretical attacks without working proof-of-concept # - Missing security headers on cached static pages where impact is purely theoretical # # Thank you for keeping the European civic-tech ecosystem safer.