# security policy

## Reporting a vulnerability
If you believe you have found a security issue, please report it responsibly:

- Email: security@hoofdrust.be
- Web: https://hoofdrust.be/legal/security.html
- security.txt: https://hoofdrust.be/.well-known/security.txt

Please include:
- a clear description and impact
- steps to reproduce (proof-of-concept if possible)
- affected URLs and versions
- any suggested mitigations

## Response expectations
We aim to:
- acknowledge receipt within 3 business days
- provide an initial assessment within 10 business days
- keep you updated until resolution

## Scope
In scope:
- the public website and web app pages served from our domains
- Cloudflare worker endpoints (e.g. /csp-report, /session/start)

Out of scope:
- denial of service (DoS) attacks
- social engineering of staff or users
- physical attacks
- vulnerabilities in third-party services outside our control

## Safe harbor
We will not pursue legal action against researchers who:
- act in good faith
- avoid privacy violations and data destruction
- do not exploit beyond what is necessary to demonstrate the issue
- report promptly and allow reasonable time for a fix