# Security Policy
## Reporting a Vulnerability
If you discover a security vulnerability in this project, please report it
responsibly. We take security seriously and will respond promptly.
**Email**: security@hyperi.io
Please include:
- A description of the vulnerability
- The affected component or version
- Steps to reproduce the issue
- Proof-of-concept code (if applicable)
- Your contact information for follow-up
## What to Expect
- **Acknowledgement**: We will acknowledge receipt of your report within
5 business days
- **Investigation**: We will investigate and keep you informed of our progress
- **Resolution**: We will work to resolve confirmed vulnerabilities promptly
- **Disclosure**: We will coordinate with you on an appropriate disclosure
timeline
## Safe Harbour
We will not pursue legal action against security researchers who:
- Report vulnerabilities in good faith
- Make reasonable efforts to avoid privacy violations, data destruction,
and service disruption
- Do not access or modify data beyond what is necessary to demonstrate
the vulnerability
- Allow reasonable time for us to address the issue before public disclosure
- Comply with applicable Australian law
## Recognition
With your permission, we will credit you for the discovery of confirmed
vulnerabilities. We do not currently offer monetary bounties, but we value
and appreciate responsible disclosure.
## Out of Scope
The following are generally out of scope:
- Social engineering or phishing attacks
- Denial of service (DoS/DDoS) attacks
- Physical security issues
- Attacks requiring access to a user's device or account
- Issues in third-party dependencies (please report these to the relevant
maintainer)
- Theoretical vulnerabilities without proof of exploitability
- Missing security headers or SSL/TLS configuration issues that are not
directly exploitable
## Contact
**Security reports**: security@hyperi.io
For non-security issues, please use the project's issue tracker.