# Zonneplan Security Policy
# https://www.zonneplan.nl/.well-known/security.txt
# This file follows the RFC 9116 standard: https://www.rfc-editor.org/rfc/rfc9116

Contact: mailto:security@zonneplan.nl
Expires: 2032-03-31T23:59:59.000Z
Preferred-Languages: en, nl

# Zonneplan B.V. - Coordinated Vulnerability Disclosure
#
# If you have discovered a security vulnerability in any of our
# systems, applications, or infrastructure, we would like to hear
# from you.
#
# Guidelines:
# - Report the vulnerability as soon as possible after discovery.
# - Do not exploit the vulnerability beyond what is necessary to
#   demonstrate the issue.
# - Do not access, modify, or delete data belonging to others.
# - Do not use denial-of-service attacks, social engineering, spam,
#   or physical attacks against Zonneplan employees or infrastructure.
# - Do not share information about the vulnerability with third
#   parties until it has been resolved.
# - Provide sufficient information to reproduce the vulnerability,
#   including IP addresses, URLs, and a clear description.
#
# Our commitment:
# - We will acknowledge your report within 3 business days.
# - We will provide an initial assessment within 5 business days.
# - We will keep you informed of our progress.
# - We will resolve the vulnerability as soon as possible, and no
#   later than 90 days after the initial report.
# - We will not take legal action against you if you have acted in
#   good faith and in accordance with this policy.
# - We will credit you (if desired) when we communicate about the
#   vulnerability.