Security Policy Our mission is to keep our users safe online, and your role as a security researcher is integral to this. You play an essential part by participating in the community effort to protect and maintain the security. Responsible disclosure of security vulnerabilities helps us ensure our users' and customers' security and privacy. If you find any indications of a serious vulnerability in this system, we encourage you to disclose your discovery to us as quickly as possible per this Security Policy. Expectations We are committed to working with you to understand and validate your report, including a timely initial response to the submission. This collaborative approach is key to our shared goal of maintaining the security of our systems. We will work to remediate discovered vulnerabilities promptly. Scope To determine a domain's relevancy, check if we own it or if it points to our IP ranges. The scope of this Security Policy includes services on the domain used by this information system: ceskaposta.cz has IP address 193.150.24.140 www.ceskaposta.cz has IP address 193.150.24.140 Authorization 1. If you make a good-faith effort to comply with this policy during your security research, we will consider your research to be a valuable contribution to our security efforts. We appreciate your efforts and role in helping us maintain a secure online environment for our users. 2. We will understand your effort as lawful, helpful to the overall security of the Internet, conducted in good faith, and authorized in view of any applicable laws. It means we will neither initiate nor support legal action against you, even for accidental, good-faith violations of this policy, nor bring a claim against you for circumvention of technology controls. 3. As always, you must comply with all applicable laws and this policy. If a third party initiates legal action against you and you have complied with this policy, we will take steps to make it known that you conducted the actions in compliance with this policy. 4. By submitting any information, you grant us a perpetual, royalty-free, and irrevocable right to use, reproduce, modify, adapt, publish, translate, distribute, transmit, publicly display, publicly perform, sublicense, create derivative works from, and transfer such information. Contact You may submit your report to the e-mail address indicated in the security.txt. We encourage you to use PGP in any case. Rules and guidelines Suppose you have established that a vulnerability exists or encountered any sensitive data (including personally identifiable information, proprietary information, financial information, or trade secrets of any party). In that case, you must stop your test, notify us immediately, and not disclose this data to anyone else. Do not engage in extortion or blackmail. To avoid any confusion between legitimate research and malicious attack, we ask that you play by the rules: 1. Perform activities only on in-scope systems, and respect systems and activities that are out of scope. 2. Handle the confidentiality of details of any discovered vulnerabilities according to our Security Policy. 3. Avoid violating the privacy of others, disrupting our systems, destroying data, and/or harming user experience. 4. Use only the Official Channels to discuss vulnerability information with us. 5. Report any vulnerability you have discovered promptly. Do not submit a high volume of low-quality reports. Prohibited activities The prohibited activities include mainly: 1. Non-coordinated vulnerability disclosure. 2. Irreversible damage to systems and/or data corruption. 3. Attacking non-internet-facing systems (internal networks, private IPs, workstations, smartphones) or trying to gain physical access (including entering or surveilling properties). 4. Denial of service (including resource exhaustion, automated scanners with more than 10 requests per second, data deletion, fuzzing, etc.). 5. Log in to the accessible accounts and use them for actions under someone else's identity or responsibility. Installing unauthorized code (especially persistent backdoors) or running unauthorized system commands. 5. Spamming by imitating the system's real e-mail and/or SMS notifications to its users. 6. Social engineering (including phishing, spear phishing, vishing, smishing, and similar user-hostile activities) against the users or employees. These specific actions are strictly forbidden due to their potential to cause harm to our systems and users. Engaging in these activities may result in [specific consequences]. Issues out of scope Issues without direct security impact, lack of hardening, or defense-in-depth measures are out of the scope of this policy, in particular: Findings from physical testing (such as office access, open doors, authorized individuals tailgating, etc.). Findings derived primarily from social engineering (URL clicks from phishing e-mails, user actions provoked by smishing, vishing, or spamming). Findings from applications or systems not listed in the `Scope` section. Findings involving the exposure of credentials not associated with the system that originate from publicly available sources (i.e., published on a website, proposed on social networks, etc.). UI and UX bugs and spelling mistakes. Network-level Denial of Service (DoS/DDoS) vulnerabilities. Missing cookie flags and security headers (or other recommendations of "what could be improved"). We specifically do not want to receive: 1. Sensitive information, logins, passwords, personal identifiable information, data messages, and financial information. 2. Results from automated scanning tools (especially not from internet tools like Shodan, Netlas, Censys, ZoomEye, BinaryEdge, or Onyphe). Legalities We designed this policy to be compatible with good practice for vulnerability disclosure. It does not permit you to act in a manner inconsistent with the law or that might cause our organization (or any third party) to breach any legal obligations.