# CivicCA Vulnerability Disclosure Policy
# https://www.rfc-editor.org/rfc/rfc9116

Contact: mailto:security@civicca.com
Expires: 2027-04-17T00:00:00.000Z
Encryption: https://www.civicca.com/.well-known/civicca-pgp.asc
Preferred-Languages: en
Canonical: https://www.civicca.com/security.txt
Policy: https://www.civicca.com/security
Acknowledgments: https://www.civicca.com/security#acknowledgements

# Reporting guidelines:
#   1. Email security@civicca.com with a description of the issue, reproduction
#      steps, affected URLs, and any relevant screenshots or proof-of-concept.
#   2. Please do not exploit, exfiltrate, or modify Customer data. Use test
#      accounts wherever possible. We will provide test access on request.
#   3. We will acknowledge your report within 48 hours and provide a remediation
#      timeline based on severity. Critical issues are typically patched within
#      7 days; high-severity within 30 days.
#   4. We will not pursue legal action against researchers acting in good faith
#      under this policy. Please give us reasonable time to remediate before
#      public disclosure.
#
# In scope:
#   *.civicca.com (production application, marketing site, public portal)
#
# Out of scope:
#   - Findings on the trial environment (trial.civicca.com)
#   - Reports of missing security headers without demonstrable impact
#   - Reports requiring a victim to perform implausible actions
#   - Denial-of-service via volumetric attack
#   - Social engineering of CivicCA staff or Customer staff
#   - Physical access attacks