Contact: security@cal.id

At Cal ID, protecting our users and systems is a top priority. Even with strong defenses, vulnerabilities can exist. If you discover one, we’d love your help to fix it quickly and responsibly.

Some things we don’t consider critical security issues:

• Clickjacking on pages without sensitive actions
• CSRF affecting only login/logout without sensitive data
• Attacks that need physical access or MITM (Man-in-the-Middle)
• Denial-of-Service (DoS) or spam attacks
• Minor content/text issues that don’t impact security
• Email spoofing
• Missing headers like DNSSEC, CAA, or CSP (non-critical)
• Non-sensitive cookie flags
• Dead links

To report a vulnerability safely:

1. Email security@cal.id with a clear description.
2. Avoid running automated scans on live systems. Contact us first for a test environment.
3. Do not exploit the issue beyond what’s needed to demonstrate it.
4. Keep the discovery confidential until it’s fixed.
5. Provide enough info for us to reproduce and resolve the issue (URL, steps, affected system).

When you report a vulnerability responsibly:

• We’ll respond within 3-5 business days with next steps.
• No legal action if you follow these guidelines.
• We treat your report and personal info with strict confidentiality.
• You’ll be kept updated until the issue is resolved.
• We’ll credit you as the discoverer (unless you prefer to stay anonymous).

Thank you for helping make Cal ID safer! 🚀