# Security Policy for CAREFUL Website
# Last Updated: 2025-06-20

# Our security contact
Contact: mailto:security@careful.online

# Our security policy
Policy: https://careful.online/security-policy

# Our preferred languages
Preferred-Languages: en

# Acknowledgments page (for responsible disclosure)
Acknowledgments: https://careful.online/security/acknowledgments

# Canonical URL for this file
Canonical: https://careful.online/.well-known/security.txt

# Expiration date (6 months from now)
Expires: 2025-12-20T00:00:00.000Z

# OpenPGP Key (if you have one)
# Encryption: https://careful.online/pgp-key.txt

# Bug Bounty Program (if you have one)
# Bounty: https://careful.online/bug-bounty

# Security Disclosure Policy
# We appreciate responsible disclosure of vulnerabilities.
# Please allow us 90 days to address issues before public disclosure.
# We will acknowledge receipt within 48 hours.

# In scope:
# - careful.online and all subdomains
# - Security vulnerabilities in our application
# - Authentication and authorization issues
# - Data exposure risks
# - Cross-site scripting (XSS)
# - SQL injection
# - CSRF vulnerabilities

# Out of scope:
# - Social engineering
# - Physical attacks
# - Denial of Service attacks
# - Automated vulnerability scanning without permission