A vulnerability disclosure policy (VDP), also referred to as a responsible disclosure policy, describes how an organization will handle reports of vulnerabilities submitted by ethical hackers. A VDP must thus be easily identifiable via a simple way, a security.txt notice.

Contact: mailto:support@meyka.com
Preferred-Languages: en
Expires: 2026-01-01T00:00:00z

# Policy
We welcome responsible disclosure of real, exploitable vulnerabilities that could affect Meyka users or systems.  

Out of scope reports include (but are not limited to):  
- Missing DNSSEC  
- SPF/DMARC policy choices (~all vs -all, p=none, etc.)  
- Support for deprecated TLS versions (TLS 1.0/1.1)  
- Clickjacking on non-sensitive pages  
- Missing HTTP security headers without clear exploitability  
- Version disclosure or descriptive error messages  
- Reports generated solely from automated scans without proof of impact  

We do not run a paid bug bounty program. At this time, we can only provide **letters of recommendation** as recognition for meaningful contributions.  

# Safe Harbor
If you make a good-faith effort to comply with this policy, we will not pursue legal action related to your research.