Vulnerability Disclosure Program

The security of Church Rating and the people who use it matters deeply to us. If you believe you have found a security vulnerability in our service, we welcome your report. We are committed to working with security researchers acting in good faith, and this page explains how to reach us and what you can expect.

Scope

This program covers:

• churchrating.com and its subdomains
• The APIs we operate under those domains

Guidelines

When researching, please:

• Report any vulnerability you discover promptly.
• Test only against accounts and data you own.
• Use an exploit only to the extent needed to confirm the vulnerability — don’t use it to pivot further, persist access, or demonstrate additional risk.
• If you encounter personal data that isn’t yours, stop immediately and note it in your report.
• Keep details confidential until we have resolved the issue.

Please do not:

• Run denial-of-service tests or anything that degrades the service for others.
• Use social engineering, phishing, or physical attacks against us or our users.
• Send spam or unsolicited messages to users.
• Run high-volume automated scanning against the service.
• Access, modify, or delete data that isn’t yours beyond the minimum needed for a proof of concept.

Out of scope

• Vulnerabilities in third-party services we rely on — please report those to the relevant provider.
• Reports of missing best practices without a demonstrated security impact — for example email authentication records, clickjacking on pages with no sensitive actions, or software version disclosure.

How to report

Email security@churchrating.com with:

• A description of the vulnerability and its potential impact.
• The URLs or endpoints affected.
• Step-by-step instructions to reproduce it.

What to expect

• We will acknowledge your report within 3 business days.
• We will keep you informed as we investigate and fix the issue.
• With your permission, we are glad to credit you publicly once the issue is resolved.

Safe harbor

We will not pursue or support legal action against you for security research conducted in good faith that follows these guidelines. If a third party brings action against you for activity this program authorizes, we will make it known that you acted in accordance with this policy.

Rewards

We do not operate a paid bug bounty program. We are sincerely grateful for responsible reports and are happy to acknowledge your contribution if you would like.