A vulnerability disclosure policy (VDP), also referred to as a responsible disclosure policy, describes how an organization will handle reports of vulnerabilities submitted by ethical hackers. A VDP must thus be easily identifiable via a simple way, a security.txt notice.

# =============================================================================
# Security.txt - RFC 9116 Compliant
# TuneFlow Dynamics - Responsible Disclosure Policy
# =============================================================================
# Last Updated: 2025-10-14
# Expires: 2026-10-14T00:00:00.000Z
# Purpose: Provide security researchers with contact information
# Standard: https://securitytxt.org/
# =============================================================================

# Contact Information - Primary
Contact: mailto:support@tuneflowdynamics.com

# Preferred Languages
Preferred-Languages: en

# Canonical URL (This file serves as the security policy)
Canonical: https://tuneflowdynamics.com/.well-known/security.txt

# Expiration Date (1 year from last update)
Expires: 2026-10-14T00:00:00.000Z

# =============================================================================
# SCOPE
# =============================================================================
# In Scope:
# - *.tuneflowdynamics.com (all subdomains)
# - Production and staging environments
# - Web application vulnerabilities (XSS, CSRF, SQLi, etc.)
# - Authentication and authorization issues
# - API security issues
# - Infrastructure vulnerabilities
#
# Out of Scope:
# - auth.tuneflowdynamics.com
# - Social engineering attacks
# - Physical security issues
# - DDoS attacks
# - Spam or phishing reports
# - Issues in third-party services (Auth0, Stripe, etc)
# - Vulnerabilities requiring outdated browsers
# =============================================================================

# =============================================================================
# SUBMISSION METHODS
# =============================================================================
# Preferred Method: Web Form (Most Secure)
# - https://tuneflowdynamics.com/security/report
# - Structured submission with automatic validation
# - Instant confirmation with report tracking ID
#
# Alternative: Email Submission
# - mailto:support@tuneflowdynamics.com
# - Subject: [SECURITY] [SEVERITY] Brief Description
# - Plain text or markdown format ONLY
#
# For Encrypted Reports (Optional):
# - Use PGP encryption with our public key
# - Key available at: https://tuneflowdynamics.com/pgp-key.txt
# - Fingerprint: (Will be generated - see instructions below)
# =============================================================================

# =============================================================================
# SAFE REPORTING FORMATS
# =============================================================================
# ✅ ACCEPTED:
# - Plain text in email body or web form
# - Markdown format
# - Links to external services:
#   * Screenshots: Imgur, CloudFlare Images
#   * Code samples: GitHub Gist, Pastebin
#   * Videos: YouTube (unlisted), Vimeo
#
# ❌ NOT ACCEPTED (Security Risk):
# - File attachments (PDF, DOCX, ZIP, etc.)
# - Executable files or scripts
# - HTML attachments
# - SVG images (can contain JavaScript)
# - Office documents with macros
#
# Why? Malicious attachments can compromise our security team's systems.
# Use external hosting and provide links instead.
# =============================================================================

# =============================================================================
# RESPONSIBLE DISCLOSURE GUIDELINES
# =============================================================================
# 1. Report security vulnerabilities privately via email or web form
# 2. Allow reasonable time for us to respond (48-72 hours)
# 3. Do not exploit vulnerabilities beyond proof-of-concept
# 4. Do not access, modify, or delete user data
# 5. Do not perform actions that could harm availability
# 6. Do not publicly disclose until we've issued a fix
# 7. Provide detailed steps to reproduce the issue
#
# What to Include in Your Report:
# - Vulnerability type and severity assessment
# - Affected URL/endpoint
# - Detailed reproduction steps
# - Proof-of-concept (links to screenshots, code, etc.)
# - Your contact information
# - Any suggested remediation
#
# Response Timeline:
# - Initial response: Within 72 hours
# - Status updates: Every 7 days
# - Resolution timeline: Varies by severity
#   - Critical: 24-48 hours
#   - High: 7 days
#   - Medium: 30 days
#   - Low: 90 days
# =============================================================================

# =============================================================================
# VULNERABILITY SEVERITY CLASSIFICATION
# =============================================================================
# Critical: Remote code execution, authentication bypass, data breach
# High: SQL injection, XSS with data access, privilege escalation
# Medium: CSRF, information disclosure, business logic flaws
# Low: Self-XSS, rate limiting issues, best practice violations
# =============================================================================

# =============================================================================
# SAFE HARBOR
# =============================================================================
# TuneFlow Dynamics commits to:
# - Not pursue legal action against researchers who follow these guidelines
# - Work with researchers to understand and resolve issues
# - Acknowledge researchers publicly (with permission)
# - Keep researcher information confidential
#
# We ask researchers to:
# - Make good faith efforts to avoid privacy violations and service disruption
# - Only test against accounts you own or have explicit permission to test
# - Not use automated scanners without prior approval
# - Not access data belonging to other users
# =============================================================================

# =============================================================================
# RECOGNITION
# =============================================================================
# We appreciate security researchers who help keep TuneFlow Dynamics secure.
# With your permission, we will:
# - Acknowledge you on our security acknowledgments page
# - Thank you in release notes (if applicable)
# - Provide a reference letter upon request
#
# Note: We do not currently offer a bug bounty program, but we deeply value
# responsible disclosure and will recognize your contribution appropriately.
# =============================================================================

# =============================================================================
# ADDITIONAL RESOURCES
# =============================================================================
# Required (create these):
# - Terms of Service: https://tuneflowdynamics.com/terms
# - Privacy Policy: https://tuneflowdynamics.com/privacy
# - Security Report Form: https://tuneflowdynamics.com/security/report
#
# Optional (nice to have):
# - Security Best Practices: https://tuneflowdynamics.com/security/best-practices
#   Guide for your users: password security, 2FA setup, phishing awareness
#
# - Status Page: https://status.tuneflowdynamics.com
#   Shows uptime/downtime (Use services like: StatusPage.io, UptimeRobot, Better Uptime)
#   Only needed if you have paying customers expecting SLA monitoring
# =============================================================================

# =============================================================================
# PGP KEY SETUP INSTRUCTIONS (FOR TUNEFLOW TEAM)
# =============================================================================
# To enable encrypted security reports, follow these steps:
#
# 1. Generate PGP Key Pair (Using GPG):
#    gpg --full-generate-key
#    - Choose: (1) RSA and RSA (default)
#    - Key size: 4096 bits
#    - Expiration: 2 years (security@tuneflowdynamics.com should renew)
#    - Name: TuneFlow Dynamics Security Team
#    - Email: security@tuneflowdynamics.com
#    - Comment: For encrypted vulnerability reports
#
# 2. Export Public Key:
#    gpg --armor --export security@tuneflowdynamics.com > pgp-key.txt
#
# 3. Upload to Frontend:
#    - Place pgp-key.txt in: Frontend/public/pgp-key.txt
#    - This makes it accessible at: https://tuneflowdynamics.com/pgp-key.txt
#
# 4. Get Fingerprint:
#    gpg --fingerprint security@tuneflowdynamics.com
#    - Update line 60 above with the fingerprint
#
# 5. Add Encryption Field to security.txt (line 13):
#    Encryption: https://tuneflowdynamics.com/pgp-key.txt
#
# 6. Store Private Key Securely:
#    - Export private key: gpg --armor --export-secret-keys security@tuneflowdynamics.com > private-key.asc
#    - Store in password manager (1Password, Bitwarden)
#    - Share with security team via secure channel
#    - DO NOT commit to git or store in plaintext
#
# 7. Decrypt Reports:
#    - Researchers encrypt with public key
#    - You decrypt with: gpg --decrypt encrypted_report.txt
#
# Key Management:
# - Renew key every 2 years
# - Revoke if compromised: gpg --gen-revoke security@tuneflowdynamics.com
# - Publish revocation certificate to key servers if needed
# =============================================================================