Vulnerability Disclosure Policy

Introduction

We take security seriously — not just for our customers, but for ourselves as well. If you've discovered a security vulnerability in our systems or website, we'd appreciate you letting us know. This page describes how to do that and what to expect from us.

Scope

This policy applies to:

• actinet.cz and all subdomains
• support.actinet.cz

It does not apply to infrastructure, systems or services operated on behalf of our customers. Testing customer environments without explicit consent from the respective customer is prohibited.

Rules

We ask that you follow these rules when researching and reporting vulnerabilities:

• Do not perform destructive testing — no DoS, no deleting or modifying data
• Do not access other users' data; if you encounter it accidentally, do not distribute it
• Do not disclose the finding publicly until it has been fixed or we agree on disclosure
• Do not exploit the vulnerability beyond what is necessary to confirm its existence
• Comply with applicable laws of the Czech Republic

How to report

Report vulnerabilities by email to info@actinet.cz.

Please include:

• Description of the vulnerability and its type (XSS, SQLi, IDOR, misconfiguration, etc.)
• Steps to reproduce — how to reach the vulnerability
• Estimated impact — what an attacker could gain or cause
• Screenshots, logs or proof-of-concept, if available
• Your contact details for follow-up

If you wish to communicate securely, write to us first to request our PGP key.

What to expect from us

• Acknowledgement — within 3 business days
• Initial assessment — within 10 business days we'll let you know whether we recognise the finding and what the next steps are
• Fix — within a reasonable timeframe proportional to the severity of the finding
• Notification — once the vulnerability is resolved, we'll let you know

Safe harbor

If you act in accordance with this policy, we commit to:

• Not taking any legal action against you
• Not filing criminal complaints or otherwise cooperating with law enforcement in connection with your research
• Acting in good faith and with respect towards you

This applies exclusively to systems within the scope defined above and on condition that the rules of this policy are followed.

Recognition

With the researcher's consent, we are happy to publicly acknowledge responsibly disclosed vulnerabilities. If you'd like to be credited (name, handle or link), let us know.

We do not currently operate a bug bounty programme with financial rewards.

Contact

• Email: info@actinet.cz
• security.txt: /.well-known/security.txt

This policy is effective from 12 May 2026.