Contact: https://contro1.com/contact
Contact: mailto:ariel@contro1.com
Expires: 2027-02-05T00:00:00.000Z
Preferred-Languages: en, he
Canonical: https://contro1.com/.well-known/security.txt

# Security Policy

Thank you for helping keep Contro1 and our users safe!

## Reporting a Vulnerability

If you discover a security vulnerability, please report it responsibly:

1. **Preferred**: Use our contact form at https://contro1.com/contact
   - Select "Security Issue" category
   - Include detailed steps to reproduce the issue
   
2. **Alternative**: Email us at ariel@contro1.com with subject "SECURITY"

We take all security reports seriously and will respond within 48 hours.

## Scope

In scope:
- contro1.com domain and subdomains
- API endpoints at /api/*
- Authentication and authorization issues
- Data leakage or privacy concerns
- XSS, CSRF, SQL injection, etc.

Out of scope:
- Third-party services we integrate with
- Social engineering attacks
- Denial of service attacks
- Scanner results from third-party websites

## Disclosure Policy

- Please allow us 90 days to address the issue before public disclosure
- We will keep you informed of our progress
- We may offer recognition for valid reports

## Safe Harbor

We consider security research conducted in accordance with this policy to be:
- Authorized concerning any applicable anti-hacking laws
- Lawful and in good faith
- Exempt from DMCA for circumventing technological measures

Thank you for keeping Contro1 secure!