# CVJinny — Security Disclosure Policy
# https://cvjinny.com/security
#
# We welcome responsible-disclosure reports from the security
# research community. Please follow the policy below.

Contact: mailto:support@cvjinny.com
Contact: https://cvjinny.com/security
Expires: 2026-11-06T17:03:51.593Z
Preferred-Languages: en, hi
Canonical: https://cvjinny.com/.well-known/security.txt
Policy: https://cvjinny.com/security
Acknowledgments: https://cvjinny.com/security#hall-of-fame

# Scope:
#   - cvjinny.com (main domain)
#   - cvjinny.in (forwards to cvjinny.com)
#   - send.cvjinny.com (transactional email subdomain)
#   - api.cvjinny.com (when added)
#
# In scope: SQL injection, XSS, CSRF, RCE, IDOR, broken auth,
#   payment-flow tampering, data-exposure, file-upload bypasses,
#   forensic-watermark stripping, anti-piracy bypass.
#
# Out of scope: rate limits, missing security headers without
#   demonstrated impact, social engineering of staff, DoS, physical
#   security, and reports against third-party services we use.
#
# Please do NOT:
#   - Access or modify other users' data
#   - Generate excessive load (DoS / fuzz traffic)
#   - Publicly disclose before we've issued a fix
#   - Use automated scanners against production accounts
#
# We commit to:
#   - Acknowledge your report within 5 business days
#   - Provide a triage outcome within 14 business days
#   - Credit you in our hall of fame (with consent) once the fix ships
#   - Not pursue legal action for good-faith research