1. Reporting channel
Email security@musaium.com with a description of the issue, reproduction steps, affected component (backend / mobile / web), and your contact details. Anonymous reports are welcome.
PGP-encrypted submission is available on request — email us and we will arrange a key exchange. A public PGP key will be published at https://musaium.com/.well-known/pgp-key.txt once V1 ships.
Please do NOT open public GitHub issues, post on social media, or contact unrelated team members for vulnerability reports. The security email is the only official channel.
Discovery resources: https://musaium.com/.well-known/security.txt (RFC 9116) and our SECURITY.md on GitHub.
2. Our commitments
Acknowledgement within 5 working days of receipt (target 24 hours).
Initial triage decision (in-scope / out-of-scope, severity) within 10 working days.
Status updates at least every 2 weeks while remediation is in progress.
Patch and public advisory target: 90 days from acknowledgement, with a possible 30-day extension communicated to the reporter when remediation is complex.
Credit on our hall-of-fame page after the issue is fixed, if you wish (and if the report is in scope and accurate).
3. Scope — in scope
musaium.com and *.musaium.com (production web and API endpoints).
The Musaium iOS app distributed via the App Store (current version).
The Musaium Android app distributed via Google Play (current version).
The OpenAPI surface served at api.musaium.com.
4. Out of scope
Third-party services we use but do not control: App Store, Google Play, OVH, Stripe, OpenAI, Deepseek, Google AI, Sentry, museum data partners, CDN providers. Report directly to them.
Denial-of-service (DoS / DDoS), volumetric attacks, resource exhaustion.
Social engineering of staff, contractors, museums or users (phishing, vishing, SMS).
Physical security testing (office access, devices).
Automated scanner output without proof of real impact.
Findings limited to outdated dependency versions without a demonstrated exploit path.
Reports requiring already-compromised user accounts or already-rooted / jailbroken devices.
Self-XSS, missing security headers without an exploit, clickjacking on non-sensitive pages, missing rate limiting on non-sensitive endpoints.
Issues affecting only unsupported / outdated browsers or OS versions.
Vulnerabilities only exploitable via debug builds or developer-mode features.
5. Rules for researchers
Make a good-faith effort to avoid harm to users, services, and data.
Use test accounts you create yourself; never access another user’s data.
Stop and report immediately if you encounter personal data, payment data, or credentials that are not yours. Do not exfiltrate, store, or share any data you accidentally access.
Do not perform DoS, social engineering, or physical testing. Do not pivot to non-Musaium systems or attack our suppliers / partners.
Give us reasonable time to remediate before public disclosure (default 90 days, Project Zero "90 + 30" pattern).
6. Safe harbour
When you conduct vulnerability research according to this policy, we consider your activities authorised under applicable anti-hacking laws (French Code pénal art. 323-1 et seq., German StGB §202c, US CFAA 18 U.S.C. §1030, UK Computer Misuse Act and equivalents) and applicable anti-circumvention laws (art. 6 of EU Directive 2001/29/EC, US DMCA §1201).
We exempt your activity from restrictions in our Terms of Service and Acceptable Use Policy that would otherwise prohibit security research, and consider it lawful, helpful to the security of our users, and conducted in good faith.
We will not pursue legal action for good-faith research within this policy. If a third party brings legal action against you for activity that complied with this policy, we will make this safe harbour known.
Limits we cannot waive: this safe harbour applies only to legal claims under our control. It cannot bind third parties (App Store, Google Play, OVH, Stripe, OpenAI, museum partners). Activity outside this policy — willful harm, ransom demands, unauthorised data exfiltration, social engineering — is not covered.
7. Coordinated disclosure timeline
Default coordination window: 90 days from acknowledgement, with optional 30-day extension when remediation is complex. Public advisory published 30 days after the patch ships, allowing users an update window.
For actively-exploited vulnerabilities qualifying under EU Cyber Resilience Act (Regulation 2024/2847), we follow the ENISA Single Reporting Platform timeline starting 2026-09-11: 24-hour early warning, 72-hour full notification, 14-day final report after fix available. Triage details: docs/operations/VDP_RUNBOOK.md.
CVE assignment for findings with CVSS 4.0 ≥ 4.0: requested via MITRE.
8. Hall of fame
Researchers who report valid in-scope issues are listed here (with permission) after the issue is fixed. The hall-of-fame is empty pre-launch.