# Security Contact Information
# RFC 9116: https://www.rfc-editor.org/rfc/rfc9116.html
# Validate at: https://securitytxt.org/

Contact: mailto:security@digital-heroes.co
Contact: https://digital-heroes.co/security
Expires: 2026-12-31T23:59:59.000Z
Preferred-Languages: en, de
Canonical: https://digital-heroes.co/.well-known/security.txt

# Our security disclosure policy
Policy: https://digital-heroes.co/security-policy

# Our PGP key for encrypted communications (optional)
# Encryption: https://digital-heroes.co/pgp-key.txt

# Acknowledgments page for security researchers
Acknowledgments: https://digital-heroes.co/security-acknowledgments

# Hiring information (optional)
# Hiring: https://digital-heroes.co/careers

# ============================================================================
# SECURITY DISCLOSURE PROCESS
# ============================================================================
#
# We take security seriously. If you discover a security vulnerability,
# please report it to us as soon as possible.
#
# WHAT TO REPORT:
# - Authentication/Authorization flaws
# - Cross-Site Scripting (XSS)
# - Cross-Site Request Forgery (CSRF)
# - SQL/NoSQL Injection
# - Server-Side Request Forgery (SSRF)
# - Remote Code Execution (RCE)
# - Information Disclosure
# - Security misconfigurations
# - Vulnerable dependencies
#
# WHAT NOT TO REPORT:
# - Issues in third-party services we don't control
# - Social engineering attempts
# - Physical security issues
# - Denial of Service (DoS/DDoS)
# - Spam or email spoofing
# - Missing best practices without proven security impact
#
# RESPONSE TIME:
# - Initial response: Within 48 hours
# - Status update: Within 7 days
# - Resolution timeline: Based on severity
#
# SAFE HARBOR:
# We support responsible disclosure and will not pursue legal action
# against researchers who:
# - Make a good faith effort to avoid privacy violations and data destruction
# - Do not exploit the vulnerability beyond what is necessary to demonstrate it
# - Allow us reasonable time to fix the issue before public disclosure
#
# ============================================================================