Security Policy

Our Commitment to Security

At Pearl Beach Cottages, we take the security and privacy of our guests seriously. We are committed to maintaining a secure website and protecting our users' personal information.

We welcome and appreciate the efforts of security researchers and ethical hackers who help us maintain the security of our systems through responsible disclosure.

Scope

This security policy applies to:

• pearlbeachcottages.com and all subdomains
• Contact forms and data submission endpoints
• Guest-facing web applications and APIs
• Third-party integrations (VRBO, Google Maps)

Reporting a Vulnerability

If you discover a security vulnerability, we encourage you to report it to us responsibly. We commit to investigating all legitimate reports and working to resolve issues promptly.

How to Report

• Email: [email protected]
• Contact Form: Contact Page (mark as security-related)
• Security.txt: /.well-known/security.txt

What to Include

When reporting a vulnerability, please include:

• Description of the vulnerability and potential impact
• Steps to reproduce the issue
• Proof of concept (if applicable)
• Your contact information for follow-up questions
• Any remediation suggestions you may have

Response Timeline

We commit to the following response timeline:

• Initial Response: Within 48 hours of receiving your report
• Status Update: Within 7 days with our assessment and action plan
• Resolution Target: Critical vulnerabilities within 30 days
• Public Disclosure: Coordinated with reporter after fix is deployed

Safe Harbor

We will not pursue legal action against researchers who:

• Follow responsible disclosure practices
• Avoid violating privacy or destroying/modifying data
• Do not exploit vulnerabilities beyond what is necessary to demonstrate them
• Do not perform actions that could harm our users or services
• Give us reasonable time to address issues before public disclosure

Out of Scope

The following are explicitly out of scope:

• Denial of Service (DoS/DDoS) attacks
• Social engineering attacks on our staff or guests
• Physical security testing
• Third-party services (VRBO, Google Maps) - report directly to those providers
• Automated vulnerability scans without prior authorization
• Public disclosure without coordinating with us first

Implemented Security Measures

We've implemented the following security measures to protect our website and user data:

Technical Security Controls

• HTTPS/TLS: All traffic encrypted with TLS 1.2+
• Content Security Policy: Strict CSP headers to prevent XSS attacks
• HSTS: HTTP Strict Transport Security enforces HTTPS
• X-Frame-Options: Protection against clickjacking
• Input Validation: Server-side validation on all form inputs
• Rate Limiting: Protection against brute force and spam
• Source Map Protection: Source maps disabled in production

Privacy & Data Protection

• No sensitive data stored client-side
• Minimal data collection (only what's necessary)
• GDPR-compliant data handling practices
• Third-party processors vetted for security compliance
• Regular security audits and updates

Infrastructure Security

• Static site architecture reduces attack surface
• CDN protection and DDoS mitigation
• Automated security updates for dependencies
• Regular vulnerability scanning

Known Issues and Limitations

We maintain transparency about current limitations:

• Google Maps API Key: Current API key needs to be replaced with a properly restricted key
• Contact Form: Email service integration pending (using mock endpoint)

Note: These issues are tracked internally and will be resolved before production deployment.

Security Best Practices for Guests

We recommend our guests follow these security best practices:

• Use unique, strong passwords for VRBO and email accounts
• Be cautious of phishing attempts impersonating Pearl Beach Cottages
• Verify URLs before entering sensitive information
• Keep your devices and browsers up to date
• Report suspicious communications immediately

Incident Response

In the event of a security incident affecting guest data, we will:

• Immediately investigate and contain the incident
• Notify affected users within 72 hours
• Provide clear information about what data was affected
• Offer guidance on protective measures
• Implement measures to prevent similar incidents
• Comply with all applicable breach notification laws

Security Updates

This page will be updated as we implement new security measures or make changes to our policies. Check the "Last updated" date at the top of this page for the most recent version.

Additional Resources

• Privacy Policy - How we handle your personal information
• Terms of Service - Terms and conditions for using our services
• security.txt - Machine-readable security policy
• Contact Us - General inquiries and support

Acknowledgments

We appreciate the security research community's efforts in making the internet safer. While we don't currently offer a bug bounty program, we recognize and thank researchers who responsibly disclose vulnerabilities.