Reference · Security

Security policy and vulnerability disclosure.

WeeSec applies to its own site and operations the principles we recommend to our clients. This page documents the vulnerability disclosure program (VDP), aligned with RFC 9116, CRA and NIS2.

How to report a vulnerability

If you believe you have identified a security vulnerability affecting weesec.com, its infrastructure or services, please contact us using the following procedure:

  • Primary email: security@weesec.com
  • Acknowledgment SLA: 2 business days.
  • Initial triage SLA: 5 business days.
  • Languages accepted: French, English.

The /.well-known/security.txt file is RFC 9116-compliant and lists official contacts.

Scope

In scope:

  • The weesec.com site and its subdomains.
  • WeeSec-operated online services (forms, public API, client portals).
  • Communications with third-party tools used in production (Calendly, Plausible) when the vulnerability specifically affects our integration.

Out of scope:

  • Vulnerabilities of third-party providers themselves (report directly to the provider).
  • Findings from purely automated analysis without impact demonstration.
  • DoS / DDoS attacks, depending on CDN infrastructure.
  • Vulnerabilities requiring physical access to an employee's hardware.

WeeSec commitments

  1. Receipt: acknowledgment within 2 business days.
  2. Triage: criticality qualification (CVSS 4.0) within 5 business days.
  3. Communication: regular updates on remediation progress.
  4. Remediation: depending on criticality, between 24 hours (critical) and 90 days (low).
  5. Recognition: public credit if you wish (Hall of Fame of contributors).
  6. No legal action: no legal action will be taken against researchers respecting this policy in good faith.

Researcher best practices expected

  • Do not exploit the vulnerability beyond what is strictly necessary to demonstrate its existence.
  • Do not access, modify or delete user data.
  • Do not publish technical details before remediation is effective and coordinated communication has been agreed.
  • Respect GDPR and the privacy of all affected users.

Regulatory compliance

This policy meets the requirements of:

  • RFC 9116 (security.txt): IETF standard for security contact reporting.
  • EU Cyber Resilience Act (Article 13 and Annex I, Part II Section 5): obligation for manufacturers of products with digital elements to operate a vulnerability disclosure program, applicable on September 11, 2026.
  • NIS2 (Article 21.2.j): coordinated vulnerability disclosure policy, part of the mandatory common core for essential and important entities.
  • ENISA Good Practice Guide on Vulnerability Disclosure.

Operating a digital product?

WeeSec helps European software publishers and service operators set up their own vulnerability disclosure program, compliant with CRA and NIS2. See our CRA roadmap article or the CRA pillar page.

Need help structuring your VDP?

A 20-minute scope call. Typical setup in 4-6 weeks.

Book on Calendly