Vulnerability Disclosure Policy
Effective: 30 June 2026
Web3 Serv welcomes reports of security vulnerabilities from researchers acting in good faith. This policy explains how to report, what is in scope, and our commitments to you.
1.Scope
This policy covers web3serv.com and the Web3 Serv platform and services. It does not cover the third-party services we rely on (see our Subprocessors page) — please report issues in those directly to the provider.
2.How to report
Email [email protected] with enough detail to reproduce the issue (affected URL, steps, and impact). Our machine-readable contact is published at /.well-known/security.txt. We can accept encrypted details on request.
3.Safe harbor
We will not pursue or support legal action against researchers who discover and report vulnerabilities in good faith and in accordance with this policy. Act in good faith, avoid privacy violations and service disruption, and give us reasonable time to remediate before any public disclosure.
4.Rules of engagement
Do not access, modify, or delete data that is not yours; do not degrade or interrupt the service; do not run automated scanning that generates significant load; and do not use social engineering, phishing, or physical attacks against our people or facilities.
5.Out of scope
Denial-of-service (DoS/DDoS), volumetric or noise-only automated-scanner output, social engineering, physical security, spam or rate-limit findings without demonstrated impact, and reports about software versions without a working proof of concept.
6.Our commitment
We aim to acknowledge a valid report promptly, keep you informed of remediation progress, and credit you if you wish once the issue is resolved. We do not operate a paid bug-bounty program at this time.