← Back to EuroValidate

Security & Responsible Disclosure

Last updated: April 5, 2026

We take the security of the EuroValidate API and its users seriously. If you believe you have discovered a vulnerability, please report it to us responsibly.

Reporting a vulnerability

Email [email protected] with:

• A clear description of the issue and its impact.
• Steps to reproduce, including the endpoint, payload, and any prerequisites.
• Your name or handle if you would like public acknowledgment.

We acknowledge reports within 2 business days and aim to ship a fix or mitigation within 30 days for high-severity issues.

Scope

• api.eurovalidate.com — the production API
• eurovalidate.com — the landing and documentation site
• Official SDKs published under the eurovalidate organisation on PyPI, npm, Packagist

Out of scope

• Denial-of-service testing, brute-force, or load testing against production.
• Social engineering of employees or customers.
• Physical attacks against our infrastructure provider (Hetzner).
• Reports of missing security headers without a demonstrated exploit.
• Findings against third-party services (Stripe, Cloudflare, Resend) — please report to them directly.

Safe harbour

We will not pursue legal action against researchers who:

• Act in good faith and comply with this policy.
• Avoid privacy violations, service disruption, and data destruction.
• Give us reasonable time to investigate and remediate before public disclosure.

PGP / encrypted reports

If you need to transmit sensitive proof-of-concept data, request our PGP public key by email first.

Hall of fame

Researchers who have responsibly reported confirmed issues (with their consent):

• No reports yet. Be the first!

Questions

General security questions: [email protected].
See also our security.txt.