Last updated: 18 April 2026.
1. Scope
This policy applies to all services operated under the esrf.net domain, including the website, directory, atlas, dispatch, and any associated subdomains. It does not cover third-party services we use (Cloudflare, Google, GitHub) — please report vulnerabilities in those services directly to the respective provider.
2. How to report
If you have discovered a potential security vulnerability, please report it to us via email:
security@esrf.net
You may also refer to our security.txt file, published in accordance with RFC 9116.
3. What to include
To help us assess and resolve the issue efficiently, please include:
- A description of the vulnerability and its potential impact.
- Step-by-step instructions to reproduce the issue.
- The URL(s) or component(s) affected.
- Screenshots or proof-of-concept code, if applicable.
- Your contact information for follow-up.
4. Our commitment
When you report a vulnerability in good faith, we commit to:
- Acknowledgement — we will confirm receipt of your report within 48 hours.
- Assessment — we will investigate and provide an initial assessment within 5 business days.
- Resolution — we will work to resolve confirmed vulnerabilities as quickly as possible and keep you informed of progress.
- Credit — with your permission, we will publicly acknowledge your contribution after the issue is resolved.
- No legal action — we will not take legal action against researchers who act in good faith and in compliance with this policy.
5. Guidelines for researchers
We ask that you:
- Do not access, modify or delete data belonging to other users or organisations.
- Do not perform denial-of-service attacks or any actions that could disrupt our services.
- Do not publicly disclose the vulnerability before we have had a reasonable opportunity to address it (minimum 90 days).
- Do not use automated scanning tools that generate excessive traffic.
- Act in good faith to avoid privacy violations and disruption to our community.
6. Out of scope
The following are generally not considered in-scope vulnerabilities:
- Clickjacking on pages with no sensitive actions (informational pages).
- Missing HTTP headers that do not lead to a direct exploit (unless covered by our CSP).
- Reports from automated tools without a demonstrated impact.
- Social engineering attacks against ESRF staff or community members.
- Issues in third-party services (Cloudflare, Google AdSense, etc.).
7. Legal framework
This responsible disclosure policy is aligned with the NIS2 Directive (EU 2022/2555) and Dutch coordinated vulnerability disclosure guidelines as published by the NCSC-NL. Stichting ESRF European Security and Resilience Fund encourages responsible security research and considers it an essential contribution to the resilience of our platform.