# EZSUIT (תביעות קטנות) — Vulnerability disclosure policy
# Standard: RFC 9116 (https://www.rfc-editor.org/rfc/rfc9116)

Contact: mailto:roysupport@ez-suit.org
Preferred-Languages: he, en
Canonical: https://ez-suit.org/.well-known/security.txt
Policy: https://ez-suit.org/privacy
Expires: 2027-05-17T00:00:00.000Z

# Responsible-disclosure summary:
#
# We welcome security research and respond to good-faith reports.
# Please:
#   - Email roysupport@ez-suit.org with the issue, reproduction steps,
#     and the version / commit you tested against.
#   - Give us a reasonable window to fix before public disclosure
#     (target: 30 days, longer if the issue is complex).
#   - Avoid actions that degrade service, access data not your own,
#     or violate Israeli law (חוק המחשבים, חוק הגנת הפרטיות).
#
# What we will do:
#   - Acknowledge receipt within 3 business days.
#   - Triage and update you on progress within 14 days.
#   - Credit you in the fix announcement if you'd like.
#
# Out of scope:
#   - Social-engineering attacks against EZSUIT staff.
#   - Denial-of-service or rate-limit testing.
#   - Vulnerabilities in third-party services (Anthropic, Stripe,
#     Cardcom, Vercel, Cloudflare) — please report those upstream.