Security at W3B

Last updated: April 23, 2026

If you've found a security issue on this website, we want to hear about it. Good-faith researchers are welcome — we'll acknowledge your report, keep you in the loop, and credit you publicly if you want.

In scope

• web3bit.ro and any of its subdomains
• API endpoints served under web3bit.ro/*
• Third-party integrations we own — the contact-form action, the Calendly embed, and the Turnstile challenge

Out of scope

• Social engineering of our team, contractors, or clients
• Physical attacks against our working address or hardware
• Denial-of-service or volumetric DDoS testing
• Publicly-known CVEs awaiting a vendor fix
• Bugs in third-party platforms we do not operate — Vercel, Resend, Microsoft Clarity, Google Analytics, Cloudflare Turnstile (report those to the respective vendors)

How to report

Email us at security@web3bit.ro with the subject prefix [w3b-vdp]. Please include:

• A clear description of the issue and its impact
• Steps to reproduce (ideally a minimal proof-of-concept)
• Affected URL, endpoint, or build
• Whether you'd like public credit once the issue is resolved

Response SLA

• Acknowledgement within 72 hours of your initial report
• Initial triage and severity assessment within 7 days
• Regular status updates until the issue is closed

Safe harbor

We will not pursue legal action against researchers who act in good faith, stay within the scope described above, avoid degrading our service for others, and do not access, exfiltrate, modify, or retain user data beyond what is minimally necessary to demonstrate a vulnerability. If you're unsure whether something is in scope, ask first.

Rewards

We do not operate a formal bug-bounty program. For meaningful findings, we evaluate rewards case-by-case — typically a thank-you, public credit, and at our discretion a gratuity for impactful reports.

Machine-readable

This policy is also published per RFC 9116 at /.well-known/security.txt.