# RFC 9116 - Disclosing Security Vulnerabilities for NaprawKSeF
#
# We treat security reports as a top priority. Please follow this
# policy and we'll respond within one business day.

Contact: mailto:kontakt@naprawksef.pl
Contact: https://naprawksef.pl/security
Expires: 2027-12-31T23:59:59.000Z
Preferred-Languages: pl, en
Canonical: https://naprawksef.pl/.well-known/security.txt
Policy: https://naprawksef.pl/security

# Scope
#   in-scope:  https://naprawksef.pl/*
#              https://*.naprawksef.pl/*
#              https://api.naprawksef.pl/*
#   out-of-scope:
#              third-party SaaS endpoints (Stripe, Supabase, Resend,
#              Hetzner, PostHog, Sentry) - please report to the
#              respective vendor's PSIRT instead.
#
# Severity rating: CVSS 3.1 with adjustments per OWASP API Top 10.
# No monetary bounty program at this time - we acknowledge valid
# findings privately and prioritize a fast fix. See /security for
# response SLA and rules of engagement.