Reporting a vulnerability
If you believe you have found a security vulnerability in the eleata Peppol API, the SDKs, or the GitHub Action, please report it to security@eleata.io. We aim to acknowledge reports within 2 business days and to provide a remediation timeline within 5 business days.
What to include
- A description of the vulnerability and its potential impact
- Steps to reproduce, including a minimal proof-of-concept where possible
- The affected component and version
- Your name and contact details for follow-up (optional but appreciated)
Coordinated disclosure
We follow a coordinated-disclosure model. We ask researchers to give us a reasonable opportunity to remediate before publicly disclosing the vulnerability. We commit to:
- Working in good faith to investigate and fix valid reports
- Providing credit in our hall of fame (with your permission)
- Not pursuing legal action against researchers who comply with this policy
Out of scope
- Denial-of-service or volumetric attacks against production endpoints
- Social-engineering attacks against eleata staff
- Vulnerabilities in third-party dependencies that have not yet been disclosed by the upstream maintainer
- Theoretical vulnerabilities without practical impact
- Issues affecting unsupported versions of the SDKs (older than 12 months)
Bug bounty
We do not currently operate a paid bug-bounty programme but may award discretionary thanks and credit for material findings.
Security controls in place
- TLS 1.2+ enforced on all production endpoints; HSTS preload
- Content Security Policy, X-Frame-Options, Referrer-Policy headers
- API keys hashed with bcrypt (cost factor 10); never stored in plaintext
- Stripe webhooks verified with HMAC-SHA256 signature
- XML parser hardened (defusedxml) against XXE, billion-laughs, external DTDs
- 5 MB max payload size enforced via Content-Length pre-check
- Rate limiting per API key and per IP address
- Security CI: gitleaks, pip-audit, npm audit, osv-scanner
- Audit logs for authentication and key management events
- Auto-deletion of validation payloads within 72 hours
Hall of fame
We will list responsible researchers here once the programme has its first valid reports.