Mirela Curiman

Legal & trust

Responsible disclosure.

Security researchers, ethical hackers and curious engineers are actively welcome here. If you find a vulnerability, please tell me — privately, in good faith, and you'll be credited.

Report a vulnerability

security@mirelacuriman.com

Forwards to a ProtonMail inbox. PGP available on request. Acknowledgement within 72 hours; status update within 10 working days; fix or mitigation as soon as possible — typically < 30 days for medium/high severity.

Machine-readable: /.well-known/security.txt

In scope

  • mirelacuriman.com and www.mirelacuriman.com
  • Anything served from those domains, including the contact form, booking flow and downloadable assets

Out of scope

  • Third-party services (Cal.com, ProtonMail, LinkedIn) — please report directly to those vendors
  • Social-engineering, phishing or physical attacks
  • Volumetric DoS or DDoS testing
  • Issues requiring a rooted/jailbroken device, outdated browser, or non-default configuration
  • Automated scanner output without a working proof of concept
  • Missing security headers or cookie flags without a demonstrated impact

Safe-harbour commitment

If you act in good faith — you don't access, modify or exfiltrate data beyond what's needed to demonstrate the issue, you don't disrupt the service, and you give a reasonable window before public disclosure — you will not be pursued legally and your research is welcomed. Reports are kept confidential until a fix is shipped.

Recognition

This is an independent practice, so there is no monetary bounty — but valid reports earn a public thank-you (with your consent) and a personal recommendation on LinkedIn. Coordinated disclosure is standard.

What to include

  • Affected URL or component
  • Steps to reproduce, ideally with a minimal proof of concept
  • Impact assessment (what an attacker could do)
  • Your preferred name/handle for credit (or "anonymous")