Responsible disclosure policy

How to report

Email support@cryptoworldnews.world with the subject line starting [security]. Include:

• What you found and how to reproduce it (request, URL, payload, screenshots).
• The impact: what an attacker could read, write, or do.
• Your contact details so we can ask follow-up questions and credit you, if you want credit.

Reports in any language are fine. We read English fastest.

What's in scope

• The production site at cryptoworldnews.world and its subdomains.
• The web dashboard, marketing pages, API endpoints, and the PWA on iOS and Android.
• Authentication, session handling, payment flows, account isolation, and personal-data handling.

What's NOT in scope

• Denial-of-service attacks, volumetric traffic, or rate-limit probing that affects other users.
• Social engineering of staff, contractors, or users.
• Physical attacks, phishing of our customers, or attempts to access hardware.
• Findings from automated scanners with no demonstrated impact (we get a lot of these).
• Reports about third-party services we use (Stripe, Resend, CoinGecko, etc.) — please report those to the vendor directly.
• Missing best-practice headers (HSTS preload, CSP nits) without a working exploit chain.
• Self-XSS, open redirects without sensitive impact, or weaknesses requiring physical access to an unlocked device.

What we ask you not to do

• Don't access, modify, or exfiltrate data that isn't yours. If you find a way to read someone else's account, stop and report it.
• Don't run automated scanners against the live site. Hand-craft your tests.
• Don't share details of the issue publicly until we've had a chance to fix it. We will not threaten you for reporting; please don't blog the exploit while users are still vulnerable.
• Don't pivot from one bug into the network or other systems.

What you can expect from us

• An acknowledgement within 3 business days.
• A first technical assessment within 10 business days.
• Honest communication about severity, planned fix timeline, and whether we'll fix or accept the risk.
• A credit on this page if you want one, once the issue is resolved.
• We do not currently run a paid bug bounty. We will say so up front.

Safe harbour

If you act in good faith, follow this policy, and report promptly, we will not pursue legal action under the Computer Misuse Act 1990 (UK), the Computer Fraud and Abuse Act (US), or equivalent laws elsewhere. We'll also work with you to clarify scope before you test if you're unsure.

Public files

• /.well-known/security.txt (RFC 9116)
• Privacy policy
• Terms of service
• Editorial and data ethics

Operator

This site is operated by Fascia Holdings Limited (SC623979), Edinburgh, United Kingdom.