Security Policy

We take security seriously. If you've found a vulnerability, we want to hear from you through our responsible disclosure process.

Report a Vulnerability

Found a security issue? Please report it privately to:

[email protected]

Response time: 3 business days

Our Commitment

  • No legal action for responsible reports
  • Timely acknowledgment
  • Regular progress updates
  • Public recognition (optional)

At National Day Calendar, we take the security of our systems and the privacy of our users seriously. We believe that no system is 100% secure, and we value the help of the security research community to keep our platform safe.

Guidelines for Responsible Disclosure

To encourage responsible disclosure, we ask that you:

  • Report Privately: Share the full details of any found vulnerability exclusively with us by emailing [email protected].
  • Provide Details: Include a clear, written description of the vulnerability and the steps needed to reproduce it (a "Proof of Concept").
  • Do No Harm: Do not attempt to access, modify, or delete data belonging to our users. Do not perform Denial of Service (DoS) attacks or use social engineering against our staff.
  • Allow Time: Give us a reasonable amount of time to investigate and remediate the issue before making any information public.

Out-of-Scope Vulnerabilities

While we review all reports, the following are generally considered out-of-scope unless they lead to a significant, direct vulnerability:

  • "Clickjacking" on pages without sensitive actions
  • Lack of "Best Practice" headers (e.g., CSP, HSTS) unless a bypass is demonstrated
  • Reports of non-masked passwords in UI
  • Spam or Social Engineering techniques
  • Publicly disclosed vulnerabilities in third-party services
  • Exposed root directory files belonging to unchanged, open-source third-party software (e.g., composer.json, README, LICENSE files) unless paired with a functional exploit.

Safe Harbor

If you follow the guidelines above when reporting an issue to us:

  • Legal Protection: We will not pursue legal action against you.
  • Acknowledgment: We will acknowledge receipt of your report within 3 business days.
  • Updates: We will keep you updated as we work to resolve the issue.
  • Recognition: We will offer you a spot in our Security Acknowledgments Hall of Fame once the issue is resolved.

Compensation

National Day Calendar does not operate a paid bug bounty program at this time. We do not offer financial rewards for vulnerability reports. We do, however, offer our sincere thanks and public recognition on our Hall of Fame page for valid, responsibly disclosed findings.

Questions?

If you have questions regarding this policy, please reach out to our engineering team at [email protected].

Last Updated: May 16, 2026