Security Policy
This page outlines our disclosure process, contacts, and service level agreements (SLA).
Disclosure Contacts
- Email: info@indrasnet.ee
- Language: English only
- Format: Plain text email (PGP available on request)
- security.txt: /.well-known/security.txt
Scope
- indrasnet.ee static site and published documents
- dao.indrasnet.ee validation dashboard (read-only demonstrator)
Out of scope: third-party infrastructure outside IndrasNet OÜ control.
Service Level Agreement (SLA)
| Step | Timeline | Details |
|---|---|---|
| Initial Response | 48 hours | Confirmation of report receipt |
| Acknowledgment | 24 hours | Automatic confirmation of receipt |
| Assessment & Classification | 48 hours after acknowledgment | Severity determination (Critical/High/Medium/Low) and impact evaluation |
| Fix Coordination | Depends on severity |
Critical: immediate High: within 7 days Medium: within 30 days Low: within 90 days |
| Publication | After fix release | Coordinated Disclosure, researcher acknowledgment (optional) |
Disclosure Process
- Send report → info@indrasnet.ee
- Acknowledgment → within 24 hours
- Assessment & classification → within 48 hours
- Fix coordination → according to SLA
- Publication → after fix release
Additional Recommendations
- Use Coordinated Vulnerability Disclosure (CVD) format
- Critical vulnerabilities are handled with highest priority
- Bug bounty program: coming soon