Cal Coast Security Disclosure Policy
Cal Coast Water Damage takes security seriously. We welcome reports from security researchers who help keep our customers safe.
Scope
In scope: calcoastwaterdamage.com, moldhelpsd.com, and their subdomains.
Out of scope: Third-party services we use (Formspree, Google, Anthropic, Vercel, Calendly). Report directly to those vendors.
What to Report
- Authentication or authorization issues
- Cross-site scripting (XSS), CSRF, clickjacking with demonstrated impact
- Sensitive data exposure
- SSRF, RCE, SQL injection (we don't use SQL but report)
- Subdomain takeover
- DNS misconfiguration with exploit potential
What's NOT a Vulnerability
- Automated scanner output without proof-of-exploit
- Missing security headers without demonstrated impact
- Social engineering or phishing without technical component
- Issues requiring physical access or stolen credentials
How to Report
Email josiah@gowithcalcoast.com with subject SECURITY REPORT. Include reproduction steps and impact assessment.
Our Commitment
- Acknowledge your report within 5 business days
- Investigate within 14 days
- Coordinate disclosure timeline with you
- Add you to our acknowledgments file (if you wish)
- We do NOT pursue legal action against good-faith researchers acting under this policy
Safe Harbor
Activities conducted in a manner consistent with this policy are authorized and we will not initiate legal action. We waive any restrictions in our Terms of Service that would prohibit good-faith security research.