At Castor, we take the security of our systems and the protection of our user-, partner- and customer- data very seriously. Despite our best efforts, vulnerabilities can still exist. If you discover a vulnerability, we greatly appreciate it if you report it to us so that we can act quickly to resolve it.
Please note that we do NOT offer any monetary rewards on this program.
Reporting security vulnerabilities
You can report (potential) vulnerabilities to:
[email protected]
Please provide sufficient information to help us reproduce and analyze the issue (e.g., IP address, URL, a clear description). For complex cases, we may ask for additional details.
For secure communication, you can use our PGP key (see below).
What we ask from you
- Report your findings as soon as possible after discovery.
- Allow us a reasonable amount of time to investigate and resolve the issue before publicly disclosing any details.
- Conduct your research responsibly:
- Avoid privacy violations, data destruction, service disruption or misuse of the vulnerability.
- Limit your testing to accounts you own or accounts for which you have explicit permission.
- Only perform actions necessary to demonstrate the vulnerability.
Out of scope / irrelevant vulnerabilities
Some types of findings fall outside the scope of our Responsible Disclosure program or are known to be irrelevant, either in general or for our systems. Reports about the following topics will not be handled:
- Clickjacking on pages without sensitive actions.
- CSRF on non-significant actions.
- CORS misconfigurations when Credentials header is not set.
- Missing HTTP security headers without direct impact (e.g., Content-Security-Policy, X-Frame-Options unless a clear risk is present).
- SSL/TLS best practice issues.
- Missing or incomplete SPF, DKIM or DMARC records.
- Missing cookie flags where cookies do not contain sensitive data.
- Open redirect vulnerabilities without additional security impact.
- Content spoofing or text injection without demonstrating a viable attack.
- Host header injection without demonstrable impact.
- Vulnerabilities reported immediately after public disclosure.
- Automated scanner reports without validation and/or without any actual risk.
- Denial of Service attacks or social engineering attempts.
- Attacks requiring MITM or physical access to a user’s device.
- Self-XSS
What you can expect from us
- We will acknowledge receipt of your report within 5 business days.
- All reports will be treated confidentially and will not be shared with third parties, unless necessary to resolve the issue or if legally required.
- We may contact you for additional information if needed.
- We will keep you informed of progress and will notify you once the vulnerability is resolved.
Castor does not offer monetary rewards or operate a bug bounty program. In some cases, we may offer a token of appreciation at our discretion.
PGP key for secure communication
—–BEGIN PGP PUBLIC KEY BLOCK—–
mQINBFtRmq4BEACbRs/MexXrcxzyaN59n/rqsc0DEx6SUvnAKXPXqxJ5VM8yekCa DOZU4R7L9eTvk8eOh9ahM/XsyQesVGldDpIEzSjwBYwlDiObamOJC3b3oMOisnG9 WgPibvlOBzeCQ1NmFzthDBUTx9TebtXwCqEIhhedDslXMsZBBxtWj2mzJ4VRRyes zd+bUpUCLCRM9scZeKoiY50pGLMERPAvlAJvTU1eMeVReY3Cx1/gvCAh0drlo46o 5GVjS31MybmUdqS49WcCBWcwaKsfPt70Zf0+UgO2JsyHBxW370W8E+yRwrWLSs1h XamQleWBBQ4zQDUnc4jclMylkukKcJUhAIqyzl4pQJzzSJZWIMbfKM6GlScKrfO7 zhmBphnpBKMSiKCd3LK0u3j+a6ALs6G5FPof7HyLB7hiorqP7v0xbxkCsH9JDZxq xF+HIDz+WSF+XtZxt13/CnYAGLEZpa1SZwHpLBuqB9FlCngDwiDsgUzoh8YXgxVJ n+/tEh7MbuI1ylDtda09k00o9Qp+ErEEhIkjAUScarP06kHOlFCGNGrYcbFZ6XoW Z2ZBeK3/pTo8e5LicbYklR+txMXX+blC5IywtGy857oJZwXA2TApu+UteAiJd5id kN8EERkNKxYDFZazu5qkYKeksCX5pUdj4wqSDR97b80a9TKttkBMYzz0YQARAQAB tENDYXN0b3IgUmVzcG9uc2libGUgRGlzY2xvc3VyZSA8cmVwb25zaWJsZS1kaXNj bG9zdXJlQGNhc3RvcmVkYy5jb20+iQJOBBMBCAA4FiEE42qVRO2TtkNpilRj6jpq B9aeYWIFAltRmq4CGwMFCwkIBwIGFQoJCAsCBBYCAwECHgECF4AACgkQ6jpqB9ae YWLmYg//QYHlIbT5vRTa5aqxyeTXG+WdDjOdprFamjMuf1WWoM7UUJYqN+z8MdAq jsFYMcllKvqDMd7z+C87zyURGhbXd4lMNsO+tYOql5Thkp1G0fhLGSEBdLfvns6e mSh8v8Lc0Pe1+H6K6JLj1QC5ZP+XSZFdIeP54DZYzt35HeA8S8rQKAXKZKFSOo5w uem5pWZXR9OLa6AxjqI1cyKahVTqKhYOegw3FoQGHeZNwwgt2mLEVkZHg7rxtJCY 93261E9BynOnwouMEN3etyGG65xe7QWWMFxmwzqzeWatgYoRrS3RpPF0Jy7YbfVL qDuJr9FON9swunYF2/QI0omM1cwpG2UWKInez+X22fMrufWGmyBndyDsVprWIdOY MdotYZfUfmpftydxniUu7ODnjKDmAXhjxekPaj6Yqje/92/Bni8nOldntqVRJzlc K5mHBHJ0IcIvwCT87fs5BmeyP/RX9kpaYCkYn95UWgXNjbnFqQjIS7TTKQt3uG3+ iFiL4P5oFQ9nx939X8ZgPPEpIDUS8HYu8dKFRSGh+sCK/YGxuhrvgOwfT40MqA6P B29J+VKaDc40moMQHZsPZqRl0Ry6XgIequV512yDvIfs04Zz+lcxbbNfqbmkwXfS WE3xodTX/2jD4f8UjjWHi7P0VzGicP2qbKlO9Q/QeZaX95AdRf65Ag0EW1GargEQ ANzLq8uAeVTV1a7lC9CM5a0tq2C0g42xEEor01sAqRbI35xMTSrq3gq10Vg6QoaL AC6NKFxScaaLtekroh3dI9KISMnhSc0F1kS64arzpNbVyimW6DjTtROLYDpUZVLZ zeDbFXWM06blASFlVMade/Gj8h0fjZio2TfPA5JhxtDO++pgnAyEY8CfUoz3PaP6 wgYshAb/E5zlGj4Ikx1Ehj7FJv2PLIfLIlcaYUv3SQtDptX7qr3nvJGoOpU0exPr U2DHECpdRcxqCOvVW7byM5hzatUeH9BlIlq804mMB4FKu8iMGgYaQcZKXzf2rnnN Jspzh0JnbANKd07tyfAL9KsbQXMtUrh33UFHA6TEKQ4cbdfP/u1SQEaCEDmwY6BR aBWHyuZtjQmUQtKCUEduApBrkEBkOrc2Cajn+27NKauGYsMLp39J1Spgu04RlE8J 89W4hrosy6A/3g9pUq8lpiBHG4b4APZdBLWqyjDk5O2DPF/VZZ7MA1aGaDsD8eYg JmB1jBy/I9x7GfHonNwTmPYdY+pON7tuVwZYcowwm55EYK8Ujg9g/OeXOggUjfBH svlcI/PsvNl2gaxPPcazetd9YhzLMQcTTwtyeVwX8wKfNSi2pv7wV18M5RK1IFW8 mLcq4FLdAsaYg3xY5ocd+zTK30nZqNelRSmxC2mbBJK5ABEBAAGJAjYEGAEIACAW IQTjapVE7ZO2Q2mKVGPqOmoH1p5hYgUCW1GargIbDAAKCRDqOmoH1p5hYtEZEACF 6bF5i5Iyp8FsQzopOyRPCLmc4PAbudPQK0ji0xcw4iEvL5Ve0QzGAP7Mt7VwHHQ2 45vjagsAZaSimu3y5RR5OdIzX6UGXvQciZERbdWsm+qieJ5lK/zNnfeWdSWI0ook 4cqRVLuHwhchqs4EiRfVBPUoAMG0R5rS5pWRHDb99ICdsIyZhBvWA7aItEfu26OB SkQW6S8+0Tc+ZsNjiNzXVORKJkaNJdMB93BOJ6qyZJMc7gpYKvzn3L04E5mTXCYO f4xy8hNXcnGQvTkFLN1W2qO0nRRpxb/t9x8xjnvamla3/hUwnYzgUGqEMExmK0+j U1UAtMVIN1FEEUgiA8wy0DeKyuRHqoMKcql3ZvaLi9563bTkDEeT833ItDp0S/fN ES9TXbvTai8+dSQNHJWWuH+0CfcXiErtCLPKPcMPGMtTxgd4GDwtYzHNsqTisx7J EIVt05RMfdrOWFqMusXMlks6fQSiApvOyvd8lQFp1Fz/ILlReR74TNj9HgRxOhIY tDaCH3uHP+rAP7qs+ZxVHYsixA6s5v8IRC6xQipKXjHOT9V4r+LV3jecMmriWGEJ yftuzbr28az5mee8Ob8Gcnfl8GePmOh7ngsoPD2z2rgHafQhDbSPOGK43y6dHpYv BDxscKgl3A/5xHMsD3FyRz1JGinFux5Gf2Eel2P09g== =Vt4Y
—–END PGP PUBLIC KEY BLOCK—–
Fingerprint:
E36A9544ED93B643698A5463EA3A6A07D69E6162