# Security disclosure policy (RFC 9116)
Contact: mailto:security@bythepeopleforthepeople.com
Expires: 2026-11-29T10:07:22.275Z
Preferred-Languages: en
Canonical: https://bythepeopleforthepeople.com/.well-known/security.txt
Policy: https://bythepeopleforthepeople.com/security
Acknowledgments: https://bythepeopleforthepeople.com/humans.txt

# Reports we want
# - Authentication or session bypass
# - Server-side request forgery or remote code execution
# - Personal-data exposure (we collect almost none, but anything beyond the place cookie is a bug)
# - Source-trail tampering or integrity holes
# - DNS/SSL/email-spoofing risks for the domain

# Reports we do not want
# - Missing security headers without a working exploit chain
# - Tabnabbing on outbound source links (we use rel=noreferrer)
# - Lack of rate limiting on public API endpoints (intentional fair-use access)

# Acknowledgment
# We try to reply within 5 business days. We will not pursue legal action
# against good-faith research conducted under common-sense norms (do not
# exfiltrate user data, do not disrupt service, do not retain personal data,
# respect robots.txt).