Contact: mailto:security@ddactic.net
Expires: 2027-05-01T09:04:31.000Z
Preferred-Languages: en, he
Canonical: https://ddactic.net/.well-known/security.txt
Policy: https://ddactic.net/security
Acknowledgments: https://ddactic.net/security#acknowledgments

# DDactic security disclosure policy
#
# We welcome reports from security researchers, customers, and CISOs probing
# our externally reachable surfaces. Reasonable testing of our public demo
# target (challenge.ddactic.net) is encouraged — it is intentionally
# vulnerable. Testing of customer dashboards or production APIs requires
# pre-coordination with security@ddactic.net.
#
# What we ask:
# - No automated scanning or DDoS against authenticated dashboards
# - No data exfiltration beyond what's needed to demonstrate impact
# - No social engineering of DDactic staff or customers
# - Disclose privately first; coordinate public disclosure
#
# What you get:
# - Acknowledgment within 48 hours
# - Triage update within 7 days
# - Recognition on https://ddactic.net/security#acknowledgments (opt-in)
# - For real, exploitable findings: Founding Design Partner pricing for life
#
# Out of scope:
# - challenge.ddactic.net (intentionally vulnerable demo target)
# - Reports without proof of impact (theoretical issues, missing headers, etc.)
# - DoS/volumetric attacks on production