Contact: mailto:security@shotdrive.io
Expires: 2027-04-20T00:00:00.000Z
Preferred-Languages: en, de
Canonical: https://shotdrive.io/.well-known/security.txt
Policy: https://shotdrive.io/security#disclosure

# Shotdrive Security Disclosure Policy
# ─────────────────────────────────────
# We welcome responsible disclosure of security vulnerabilities.
#
# Scope
# - shotdrive.io and all subdomains
# - drive.shotnode.io (Cloudflare Worker API)
# - The Shotdrive web and mobile clients
#
# Out of scope
# - Denial of service attacks
# - Social engineering against Shotdrive staff
# - Physical attacks
# - Third-party services (Cloudflare, Supabase, Polar, Brevo, Sentry — report to the
#   respective vendor's program). Reach out to us anyway if the issue chains through
#   our integration.
#
# Safe harbour
# We will not pursue legal action against researchers who discover and
# disclose vulnerabilities in good faith, follow this policy, and do not:
# - Access or modify data belonging to other users
# - Disrupt the service for other users
# - Publicly disclose before we have had 90 days to remediate
#
# Response SLA
# We aim to acknowledge all reports within 48 hours and provide a
# remediation timeline within 7 days.
#
# PGP
# A PGP key for encrypted disclosure will be published at
# https://shotdrive.io/security once available.