# Security Policy for haricrm.com
# See https://www.rfc-editor.org/rfc/rfc9116

Contact: mailto:security@haricrm.com
Expires: 2027-04-09T00:00:00.000Z
Preferred-Languages: en, fr, zh-HK
Canonical: https://haricrm.com/.well-known/security.txt
Policy: https://haricrm.com/security-policy

# Reporting guidelines
# - Please do NOT publicly disclose vulnerabilities before we've had a chance
#   to respond. We aim to acknowledge reports within 48 hours.
# - Include clear reproduction steps and the affected version/environment
#   where possible.
# - We operate a responsible disclosure program. Credit is given to reporters
#   in our security advisories unless anonymity is requested.
#
# Out of scope:
# - Social engineering of HARi staff or customers
# - Physical attacks against HARi infrastructure
# - Denial of service attacks
# - Automated vulnerability scanner reports without proof of exploit