# ProofBadge Security Policy

Contact: mailto:security@proofbadge.com
Expires: 2026-12-17T00:00:00.000Z
Canonical: https://proofbadge.com/.well-known/security.txt
Preferred-Languages: en

# Scope

We welcome reports on security vulnerabilities in ProofBadge's web application and infrastructure.

# Out of Scope

- Clickjacking without demonstrable security impact
- CSRF on authentication forms
- Denial of service attacks
- Missing security headers without proof of exploit
- User enumeration

# Guidelines

- Do not access or modify other users' data
- Do not perform actions that could harm our services or users
- Provide sufficient detail to reproduce the issue

# Disclosure

- Do not disclose vulnerabilities publicly until we have addressed them
- We will respond within 5 business days
- We will not pursue legal action against researchers who follow these guidelines
- Credit will be given to researchers upon request

# Commitment

We take security seriously and appreciate responsible disclosure.