Security Policy

1. Reporting Security Issues

If you believe you found a vulnerability in Cripsy.md, email the security contact below. Include enough detail for us to reproduce and evaluate the issue.

• Affected URL, endpoint, feature, or account state.
• Steps to reproduce and expected impact.
• Any proof-of-concept details that avoid exposing other users' data.
• Your preferred contact information.

2. Good-Faith Research Rules

We welcome good-faith reports that follow these rules.

• Do not access, modify, delete, copy, download, disclose, or retain data that is not yours.
• Do not degrade, interrupt, overload, social-engineer, spam, phish, or physically attack the service, users, employees, or service providers.
• Do not test third-party services such as authentication, hosting, DNS, email, or CDN providers unless those providers separately authorize it.
• Stop testing and contact us immediately if you encounter data exposure, account access, secrets, or service instability.
• Give us a reasonable opportunity to investigate and remediate before public disclosure.

3. Safe Harbor

We will not pursue legal action against security research that is authorized by this policy, performed in good faith, avoids privacy harm and service disruption, and is reported promptly to us.

This policy does not authorize extortion, threats, destructive testing, unauthorized access to third-party systems, or violations of law.

4. No Bounty Program

Cripsy.md does not currently operate a paid bug bounty program. Reports are appreciated, but no payment, reward, employment, or contract is promised unless agreed in writing before testing.