Responsible Disclosure Policy

1. Introduction

At Earth Club LLC, we take the security of our systems and the privacy of our customers seriously. We appreciate the security research community's efforts in helping us maintain the security of our website and systems. This Responsible Disclosure Policy outlines our guidelines for security researchers who wish to report vulnerabilities.

2. Our Commitment

We commit to:

• Respond to your report within 3 business days
• Keep you informed about our progress addressing the vulnerability
• Credit researchers who report valid security issues (upon request)
• Not pursue legal action against researchers who comply with this policy
• Work with researchers to understand and resolve issues quickly

3. Reporting Guidelines

If you believe you have discovered a security vulnerability, please:

1. Do not access, modify, or delete data belonging to others
2. Do not perform actions that could harm our services or users
3. Do not publicly disclose the vulnerability before we have had a chance to address it
4. Provide sufficient detail to help us understand and reproduce the issue
5. Use the contact methods specified below to report the vulnerability

4. How to Report a Vulnerability

Please include in your report:

• Description of the vulnerability
• Steps to reproduce the issue
• Potential impact of the vulnerability
• Any proof-of-concept code or screenshots
• Your contact information (if you wish to be credited)
• Any recommendations for remediation

5. Scope

This policy applies to:

• earthclub.kitchen and all subdomains
• Our mobile applications (if applicable)
• API endpoints
• Third-party services we directly operate

This policy does not apply to third-party services we use but do not directly control.

6. Eligible Vulnerabilities

We are particularly interested in reports concerning:

• SQL Injection
• Cross-Site Scripting (XSS)
• Cross-Site Request Forgery (CSRF)
• Server-Side Request Forgery (SSRF)
• Authentication or authorization flaws
• Remote code execution
• Data exposure or privacy issues
• Payment processing vulnerabilities

7. Out of Scope

The following are generally considered out of scope:

• Social engineering attacks
• Physical security issues
• Denial of Service (DoS) attacks
• Spam or social media account issues
• Issues in third-party applications or websites
• Recently disclosed zero-day vulnerabilities
• Issues requiring unlikely user interaction
• Missing security headers with no demonstrable impact
• SSL/TLS best practice recommendations without proof of vulnerability

8. Safe Harbor

When conducting security research according to this policy, we consider your activities authorized and will not pursue legal action. We regard your actions as conducted in good faith to help improve our security.

However, if your security research involves networks, systems, information, applications, products, or services not listed in the scope section, contact us immediately at security@earthclub.kitchen before continuing.

9. Testing Guidelines

When testing:

• Only test on accounts you own or have explicit permission to test
• Do not attempt to access other users' data
• Do not perform load testing or resource-intensive tests
• Do not use automated scanning tools without prior approval
• Do not exploit a vulnerability beyond what is necessary to demonstrate it
• Do not send phishing emails to our employees or customers

10. Disclosure Timeline

We ask that you:

• Allow us a reasonable time to address the vulnerability before public disclosure
• Wait for our confirmation before publicly disclosing
• Coordinate with us on the timing of any public disclosure

We aim to resolve critical vulnerabilities within 90 days of confirmation. We will keep you updated on our progress and expected timeline.

11. Recognition

We recognize and thank security researchers who help us maintain a secure environment. With your permission, we may:

• Credit you in our security acknowledgments
• Share your name and contribution publicly (with your approval)
• Provide a letter of thanks acknowledging your responsible disclosure

12. Bug Bounty Program

While we do not currently offer a formal bug bounty program, we greatly appreciate security research efforts. We may provide swag, store credit, or other tokens of appreciation for significant findings at our discretion.

13. Contact Information

For security-related inquiries or to report a vulnerability:

14. Policy Updates

We may update this Responsible Disclosure Policy from time to time. We encourage you to review this page periodically for the latest information on our disclosure policies.