SECURITY
Security & Vulnerability Disclosure Policy
Last updated: 2026-06-01 — ScandistreamTV
We take the security of our service and our customers seriously. If you believe you have found a security vulnerability affecting scandistreamtv.com or any associated infrastructure, we welcome your report under the terms below.
Scope
In scope:
scandistreamtv.com and all subdomains
- Payment processing flows on this domain
- Authentication and account management endpoints
Out of scope:
- Third-party services (Cloudflare, Stripe, Lemon Squeezy, etc.) — report directly to them
- Volumetric denial-of-service attacks (DDoS)
- Social engineering of staff or customers
- Physical attacks on our infrastructure
- Issues already known to us or publicly disclosed
- Best-practice findings without demonstrated impact (e.g. missing security headers on static pages without sensitive data)
How to report
Email [email protected] with:
- A clear description of the vulnerability
- Steps to reproduce (proof-of-concept, screenshots, request/response captures)
- Impact assessment — what an attacker could achieve
- Your contact details (we will acknowledge within 72 hours)
If your report is sensitive, you may encrypt it. Request our PGP public key in your first message.
Safe Harbor
We will not pursue legal action against researchers who:
- Make a good-faith effort to comply with this policy
- Avoid privacy violations, destruction of data, and interruption of service
- Do not access, modify, or exfiltrate data beyond what is necessary to demonstrate the vulnerability
- Give us reasonable time to remediate before any public disclosure (we target 90 days)
What to expect
- Acknowledgment within 72 hours of your report
- Triage and validation within 7 business days
- Remediation timelines depend on severity:
- Critical: 7 days
- High: 30 days
- Medium: 60 days
- Low: 90 days
- Public acknowledgment (with your permission) once remediation is verified
Bug bounty
We do not currently operate a paid bug bounty programme. Verified, high-quality reports may be acknowledged publicly (see Acknowledgments below) and may receive a small token of appreciation at our discretion.
Acknowledgments
Researchers who have responsibly disclosed valid security issues will be listed here with their consent.
Machine-readable contact
See /.well-known/security.txt (RFC 9116).