# Vulnerability Disclosure Policy — pet.ge
# RFC 9116: https://www.rfc-editor.org/rfc/rfc9116

Contact: mailto:security@pet.ge
Contact: mailto:info@pet.ge
Expires: 2027-04-30T23:59:00.000Z
Preferred-Languages: en, ka, ru
Canonical: https://pet.ge/.well-known/security.txt
Policy: https://pet.ge/security-policy

# Scope
# In-scope assets:
#   - https://pet.ge (production site)
#   - https://*.pet.ge (subdomains we operate)
#
# Out-of-scope:
#   - Third-party services we integrate with (Shopify checkout, payment gateways)
#   - Social profiles (Instagram, Facebook, TikTok)
#   - Findings already reported by automated scanners (TLS config, DMARC, etc.)
#
# Please report:
#   - Authentication or authorization flaws (auth bypass, IDOR, broken access control)
#   - Injection vulnerabilities (SQL, NoSQL, XSS, SSRF, command injection)
#   - Sensitive data exposure (PII, payment data, OTP / session leaks)
#   - Server-side misconfigurations leading to RCE
#   - Account takeover paths
#
# What we promise:
#   - Acknowledge your report within 5 business days.
#   - Triage and provide an initial response within 14 business days.
#   - Credit you in our hall-of-fame (with permission) once the issue is fixed.
#   - We do NOT pursue legal action against good-faith researchers who comply
#     with this policy and avoid privacy violations, service degradation, or
#     destruction of data.