Vulnerability Disclosure Policy

This Vulnerability Disclosure Program (VDP) is limited in scope to the following domains:

• Scilit - Scientific & Scholarly Research Database
• Scilit - Scientific Literature
• https://api.scilit.com/

Any vulnerabilities or security issues identified on the mentioned domains are within the scope of this program. We kindly request that security researchers and ethical hackers focus their testing and reporting efforts exclusively on the domains listed above. Please note that any vulnerabilities identified outside of these domains are not considered within the scope of this program.

We appreciate the efforts of security researchers in helping us identify and mitigate potential security vulnerabilities. To ensure a responsible and safe environment for all parties involved, we have established the following rules for participating in our Vulnerability Disclosure Program (VDP):

1. Responsible testing: Security researchers and ethical hackers should always conduct responsible testing and refrain from engaging in non-technical attacks, such as social engineering, phishing, physical attacks, DoS (Denial of Service), or DDoS (Distributed Denial of Service) attacks against our employees, users, or infrastructure.
2. Guidance: If you have any doubts or questions about the testing you intend to perform, please contact us at the email address provided in our security.txt file.
3. Acknowledgment of participation: By participating in our Vulnerability Disclosure Program (VDP), you acknowledge and agree to adhere to the terms outlined in this policy. This includes:
   • Confirming that you are not currently an employee or contractor of MDPI, were not an employee or contractor within six months prior to submission, and did not collaborate on your submission with anyone who was.
   • Ensuring that your participation in the VDP will not violate any applicable laws, disrupt, or compromise any data that does not belong to you.
4. Program discretion: Scilit reserves the right to terminate or discontinue the Vulnerability Disclosure Program at its discretion.
5. Testing scope: Only test for vulnerabilities on websites and domains that you know to be operated by Scilit and are explicitly listed within the program's scope. Some websites hosted on subdomains may be operated by third parties and are not in-scope for testing.

If you have identified a potential security vulnerability within the scope of our Vulnerability Disclosure Program, we appreciate your responsible disclosure. To report the vulnerability, please follow these steps:

1. Contact information: Refer to the contact information provided in our security.txt file for the appropriate point of contact. Use the specified communication method for reporting vulnerabilities.
2. Provide details: When reporting the vulnerability, please provide as much detail as possible. This includes a clear description of the issue, the affected systems or components, and any steps to reproduce the vulnerability.
3. Response time: We will make our best effort to acknowledge receipt of your report promptly. Our security team will review and assess the reported vulnerability. Please allow us a reasonable amount of time to investigate and address the issue.
4. Cooperation: We appreciate your cooperation throughout the disclosure process. We may need to communicate with you for additional details or to coordinate responsible disclosure.
5. Non-disclosure: During the disclosure process, please refrain from publicly disclosing or sharing information about the vulnerability until we have had the opportunity to assess and address it.

At Scilit, we greatly appreciate the contributions of security researchers and ethical hackers in helping us enhance the security of our systems. However, please note that we do not offer financial rewards or compensation for vulnerability reports.

Instead, we express our sincere gratitude for your valuable assistance in identifying and responsibly disclosing security vulnerabilities. If you choose to be publicly acknowledged for your contributions, we will include your name (or alias, if preferred) on our "Hall of Fame" page as a token of our appreciation.

Your efforts play a crucial role in maintaining the security and integrity of our online services, and we are thankful for your dedication to responsible security research.