Security Disclosure Policy

This policy covers Crisis Connect assets that we operate or maintain, including crisisconnect.network, crisisconnect.com.tr, the public website, Crisis Connect mobile applications, our open-source Android codebase, Firebase-backed app services, role-certificate and rescue authorization flows, and official support or download channels.

Third-party infrastructure remains governed by the third party's own vulnerability disclosure program unless we explicitly authorize testing.

Email security@crisisconnect.network with a clear subject line and enough detail for us to reproduce the issue.

• Describe the affected asset, app version, device or browser, account type, and environment.
• Include steps to reproduce, screenshots, logs, proof-of-concept details, and expected impact where safe.
• Redact personal data, real emergency content, access tokens, private keys, and unrelated secrets.
• Do not post exploit details in public GitHub issues, social media, app reviews, or community channels.

Security testing must be non-destructive, proportionate, and limited to systems and accounts you are authorized to use.

• Do not access, copy, alter, delete, or exfiltrate data that is not yours.
• Do not degrade service availability, spam nearby users, jam wireless communication, or interfere with emergency workflows.
• Do not bypass physical security, social-engineer staff or users, or test third-party providers without permission.
• Stop testing and notify us immediately if you encounter sensitive data, active emergency data, or a safety-impacting condition.

Some findings may be useful context but are usually out of scope without a clear exploit path.

• Automated scan output without validation or impact.
• Social engineering, phishing, physical attacks, or denial-of-service testing.
• Missing security headers or cookie flags without a realistic attack path.
• Issues only affecting outdated devices, rooted devices, modified APKs, or user-controlled local storage without privilege escalation.
• Reports against Firebase, app stores, mapping providers, analytics providers, or other third-party systems outside our control.

When you act in good faith, stay within this policy, avoid privacy and safety harm, and report promptly, we will not initiate legal action against you for the research activity alone. This does not authorize unlawful conduct, data misuse, extortion, public disclosure before coordination, or activity outside the stated scope.

We aim to acknowledge credible reports, triage severity, investigate affected components, remediate validated issues, and coordinate disclosure where appropriate. Emergency communication and rescue-authorization issues may be prioritized because they can affect public safety, responder trust, device identity, Firebase rules, App Check enforcement, role certificates, or offline message integrity.

Crisis Connect does not currently operate a paid bug bounty program. Submitting a report does not create an entitlement to payment, reward, employment, public credit, or ongoing access. We may provide acknowledgment at our discretion when it is safe and lawful to do so.

For open-source code, use public issues for general hardening, documentation, and non-sensitive bugs. Use private security email for suspected vulnerabilities, bypasses, authentication defects, authorization defects, key-handling problems, rescue-role abuse paths, App Check bypasses, or anything that could help attackers before a fix is available.

Use this address for vulnerability reports, coordinated disclosure questions, or security policy concerns.