Saltar al contenido principal
CasaVanguardia

Security Overview & Responsible Disclosure

Last updated: 2025-02-12 v1.0

Our Commitment to Security

Keeping your data safe and secure is a top priority for Far Horizons OÜ (“the Company”, “we”, “us”). CasaVanguardia handles property listing data, user account information, and inquiry communications, and we take the protection of all of this seriously. This page describes the measures we have in place and how to report security concerns.

Data Protection Measures

Encryption in Transit

All data transmitted between your browser and CasaVanguardia is encrypted using HTTPS (TLS 1.2 or higher). We enforce HTTPS across all endpoints and do not serve any content over unencrypted HTTP. HSTS headers are configured to prevent downgrade attacks.

Encryption at Rest

User account data and sensitive configuration data are encrypted at rest. Listing data stored in our databases is protected by the underlying storage provider’s encryption mechanisms. Database backups are encrypted.

Backups

We maintain regular automated backups of all critical data. Backups are stored in geographically separate locations and are tested periodically to ensure they can be restored.

Access Controls

Access to production systems is restricted to authorised personnel only. We follow the principle of least privilege — team members are granted only the minimum access necessary for their role. Administrative access requires multi-factor authentication.

Infrastructure Security

Cloudflare Edge Network

CasaVanguardia runs on Cloudflare’s global edge network. This provides several security benefits:

  • DDoS protection. Cloudflare’s network absorbs and mitigates distributed denial-of-service attacks before they reach our application.
  • Web Application Firewall (WAF). Managed rulesets help protect against common web exploits including SQL injection, cross-site scripting (XSS), and other OWASP Top 10 threats.
  • Bot management. Automated traffic is filtered to reduce abuse from malicious bots while allowing legitimate crawlers.
  • Edge TLS termination. TLS is terminated at Cloudflare’s edge, ensuring encrypted connections globally with minimal latency.

Application Security

  • Our application is built with modern frameworks that provide built-in protections against common vulnerabilities (XSS, CSRF, injection).
  • Dependencies are regularly audited and updated to address known vulnerabilities.
  • We use Content Security Policy (CSP) headers and other browser security headers to reduce attack surface.

Billing Security

All payment processing is handled by Stripe, a PCI DSS Level 1 certified payment processor. We never store credit card numbers or sensitive payment credentials on our own systems.

Responsible Disclosure — Reporting Vulnerabilities

We appreciate the work of security researchers who help keep our users safe. If you discover a security vulnerability in CasaVanguardia, we encourage you to report it responsibly.

How to Report

Send your report to: hello@farhorizons.io

Please include:

  • A description of the vulnerability and its potential impact.
  • Detailed steps to reproduce the issue, including any tools, URLs, or payloads used.
  • Your name or handle (for acknowledgment, if desired).
  • A secure way for us to respond to you (encrypted email, Signal, etc.).

If you wish to encrypt your report, please contact us first and we will provide a PGP key.

What We Expect from Reporters

We ask that security researchers:

  • Act in good faith. Make a genuine effort to avoid privacy violations, degradation of service, and destruction of data.
  • Do not access, modify, or delete other users’ data. If you encounter personal data during your research, stop and report the issue immediately.
  • Do not exfiltrate data. Do not copy, store, or share any data beyond the minimum necessary to demonstrate the vulnerability.
  • Allow reasonable time for remediation. Give us at least 90 days to investigate and address the issue before making any public disclosure.
  • Do not exploit the vulnerability for any purpose beyond demonstrating the proof of concept.
  • Do not use automated scanning tools in a way that degrades service for other users. If you need to run automated tests, please contact us to arrange a suitable testing window.

What You Can Expect from Us

  • Acknowledgment within 24 hours. We will confirm receipt of your report and provide a reference number.
  • Regular updates. We will keep you informed of our progress in investigating and addressing the issue.
  • No prosecution. We will not pursue legal action against researchers who act in good faith and comply with this disclosure policy.
  • Credit and recognition. With your permission, we will publicly acknowledge your contribution on this page (see “Hall of Thanks” below) once the issue has been resolved.
  • Timely remediation. We aim to resolve critical vulnerabilities within 7 days and high-severity issues within 30 days, though timelines may vary depending on complexity.

Scope

The following are in scope for responsible disclosure:

  • casavanguardia.co and all subdomains
  • api.casavanguardia.co
  • Authentication and session management
  • Data exposure or access control issues

The following are out of scope:

  • Social engineering or phishing attacks against our employees or users.
  • Denial-of-service attacks.
  • Physical security of our offices or infrastructure.
  • Third-party services we use (Cloudflare, Stripe, Clerk) — please report issues with those services directly to the respective providers.
  • Findings from automated scanners without a demonstrated, exploitable vulnerability.

Recognition

We do not currently operate a paid bug bounty programme. However, we deeply value the contributions of security researchers and will:

  • Publicly acknowledge researchers on this page (with consent).
  • Provide a written letter of acknowledgment upon request.
  • Consider offering recognition in other forms on a case-by-case basis.

Hall of Thanks

We would like to thank the following researchers for their responsible disclosure:

No reports yet — be the first to help us improve!

Security.txt

In accordance with RFC 9116, we maintain a /.well-known/security.txt file that provides machine-readable security contact information. You can access it at:

https://casavanguardia.co/.well-known/security.txt

Incident Response

In the event of a security incident affecting user data:

  1. We will investigate and contain the incident as quickly as possible.
  2. Affected users will be notified in accordance with the GDPR’s 72-hour breach notification requirement and applicable Estonian law.
  3. The relevant supervisory authority (Andmekaitse Inspektsioon) will be notified where required.
  4. We will publish a post-incident summary (excluding details that could enable further exploitation) and take steps to prevent recurrence.

Contact

For security concerns, vulnerability reports, or questions about our security practices: