If you identify a security vulnerability, please contact us directly by emailing critter@eurofurence.org. In your message, kindly include a detailed description of your findings and any relevant supporting information. We appreciate your proactive efforts in helping us maintain the security of our systems.

We kindly request that you refrain from using any external reporting or bug bounty services for disclosing vulnerabilities. Our experience has shown that these services often introduce unnecessary complexity and overhead, which can delay our response.

Please send any security-related bug reports directly to critter@eurofurence.org.

We strive to respond to security reports within 14 days. However, please note that the Critter system is primarily used only during Eurofurence, which takes place once a year in late summer or early autumn. During the off-season, particularly outside of the convention planning period, the critter system is not active, and response times may be longer due to the volunteer nature of the project.

If you do not receive a response within this timeframe, or if you believe the issue requires immediate attention, you are encouraged to disclose the vulnerability publicly through our GitHub issue tracker. To do so, create an issue with a title prefixed by [SECURITY] to ensure it is promptly addressed.

In the event that you discover a critical vulnerability warranting a Common Vulnerabilities and Exposures (CVE) identifier, we will handle the process of issuing a CVE ourselves. There is no need to involve a third-party bug bounty platform for this purpose.