# Adha Tours Security Policy
# https://securitytxt.org/
# RFC 9116 Compliant

# Primary security contacts
Contact: mailto:security@adhatours.co.id
Contact: mailto:contact@gardasys.biz.id

# Expiration date (update annually)
Expires: 2027-01-16T00:00:00.000Z

# Preferred languages for security reports
Preferred-Languages: id, en

# Canonical location of this file
Canonical: https://adhatours.co.id/.well-known/security.txt

# Security policy with disclosure guidelines
Policy: https://adhatours.co.id/security-policy

# Hall of fame for security researchers
Acknowledgments: https://adhatours.co.id/security-policy#acknowledgments

# ============================================
# Responsible Disclosure Guidelines
# ============================================
#
# If you discover a security vulnerability, please report it
# to us using the contact information above. We take all
# security reports seriously and will respond within 48 hours.
#
# What to include in your report:
# - Description of the vulnerability
# - Steps to reproduce the issue
# - Potential impact assessment
# - Your contact information (optional for anonymous reports)
#
# We commit to:
# - Acknowledge receipt within 48 hours
# - Provide regular updates on remediation
# - Not pursue legal action for good-faith reports
# - Credit researchers (with permission) after fixes
#
# Out of scope:
# - Denial of Service (DoS/DDoS) attacks
# - Social engineering of staff
# - Physical security testing
# - Third-party services we integrate with