Coordinated Vulnerability Disclosure
At Fanorg, we take the security of our systems very seriously. Despite our best efforts to maintain the security of our systems, vulnerabilities may still exist. If you discover a vulnerability in one of our systems, we would appreciate it if you let us know as soon as possible so that we can take the necessary measures. We are committed to working with you to better protect our customers and our systems.

Scope:
This policy applies to all products, services, and infrastructure owned by Fanorg. If you are unsure whether your findings are within scope, feel free to reach out to us for clarification.

Points to consider when reporting a vulnerability (CVD) We kindly ask you to:
-	Report the vulnerability immediately upon discovery.
-	Send your findings via email to security@fanorg.com. If possible, use our PGP key (see security.txt) to encrypt your findings to ensure they remain secure.
-	Provide sufficient details for us to reproduce and understand the issue. Typically, the affected system's IP address or URL and a clear description of the vulnerability are sufficient, but more information may be required for complex issues.
-	Leave your contact information (an email address or phone number) so our security team can reach out to collaborate on a resolution.
-	Refrain from sharing the details of the vulnerability with others until we have resolved the issue, and delete all confidential information obtained via the vulnerability after it has been resolved.
-	Act responsibly by avoiding actions that could cause harm beyond what is necessary to demonstrate the vulnerability, such as not downloading more data than needed to prove the issue or viewing, deleting, or modifying third-party data.

Responsible behavior
Please avoid the following actions when investigating vulnerabilities:
-	Do not install malware.
-	Do not modify, copy, or delete any information or configurations of the system beyond what is necessary to demonstrate the vulnerability.
-	Avoid brute force attacks, denial-of-service (DoS) attacks, physical attacks, social engineering tactics, or attacks on third-party applications.

Our commitment to you
If your report adheres to these guidelines, we will:
-	Not take legal action against you. We value the work of the research community and are committed to working in good faith.
-	Handle your report confidentially, and not share your details without your consent unless required by law. Reporting under a pseudonym is also possible.
-	Acknowledge receipt of your report within three business days.
-	Provide an assessment of the vulnerability and an estimated resolution date as soon as possible.
-	Keep you informed of our progress and work to resolve the issue in a timely manner.

Out-of-scope issues:
-	Self-XSS
-	Social engineering attacks
-	Denial of Service (DoS)
-	Physical property attacks
-	Vulnerabilities using stolen credentials
-	Issues that only affect outdated software or browsers

We strive to resolve all issues as quickly as possible and are happy to be involved in any potential publication regarding the problem once it has been resolved.

For more information, please see: https://fanorg.net/.well-known/security.txt