Security Policy

At National Day Calendar, we take the security of our systems and the privacy of our users seriously. We believe that no system is 100% secure, and we value the help of the security research community to keep our platform safe.

If you have found a vulnerability, we want to hear from you. This policy outlines our expectations and our commitment to you.

1. Guidelines for Responsible Disclosure

To encourage responsible disclosure, we ask that you:

  • Report Privately: Share the full details of any found vulnerability exclusively with us by emailing security@nationaldaycalendar.com.

  • Provide Details: Include a clear, written description of the vulnerability and the steps needed to reproduce it (a "Proof of Concept").

  • Do No Harm: Do not attempt to access, modify, or delete data belonging to our users. Do not perform Denial of Service (DoS) attacks or use social engineering against our staff.

  • Allow Time: Give us a reasonable amount of time to investigate and remediate the issue before making any information public.

2. Out-of-Scope Vulnerabilities

While we review all reports, the following are generally considered out-of-scope unless they lead to a significant, direct vulnerability:

  • "Clickjacking" on pages without sensitive actions.

  • Lack of "Best Practice" headers (e.g., CSP, HSTS) unless a bypass is demonstrated.

  • Reports of non-masked passwords in UI.

  • Spam or Social Engineering techniques.

  • Publicly disclosed vulnerabilities in third-party services that National Day Calendar uses (we typically wait for upstream patches).

3. Our Commitment (Safe Harbor)

If you follow the guidelines above when reporting an issue to us:

  • We will not pursue legal action against you.

  • We will acknowledge receipt of your report within 3 business days.

  • We will keep you updated as we work to resolve the issue.

  • We will offer you a spot in our Security Acknowledgments Hall of Fame once the issue is resolved.

4. Compensation

National Day Calendar does not operate a paid bug bounty program at this time. We do not offer financial rewards for vulnerability reports. We do, however, offer our sincere thanks and public recognition on our Hall of Fame page for valid, responsibly disclosed findings.

Questions?

If you have questions regarding this policy, please reach out to our engineering team at security@nationaldaycalendar.com.

Last Updated: May 16, 2026