happyDomain/SECURITY.md

# Security Policy

## Supported Versions

Only the latest version of happyDomain is supported with security fixes.

| Version | Supported |
| ------- | --------- |
| latest  | ✓         |
| < latest| ✗         |


## Scope

### In scope

- happyDomain application code (API/backend and web frontend)
- Other websites directly operated by the happyDomain team: documentation, main website, blog, git redirection, downloads website, demo instance, insights

### Out of scope

- Vulnerabilities in third-party dependencies that are not directly exploitable in happyDomain
- Social engineering attacks
- Denial-of-service attacks requiring significant resources


## Reporting a Vulnerability

If you discover a security vulnerability in happyDomain, please report it privately.

By email: security@happydomain.org
On GitHub: https://github.com/happydomain/happydomain/security/advisories
On Gitlab: https://gitlab.com/happyDomain/happyDomain/-/issues/new (check Confidential issue before submitting)
On Framagit: https://framagit.org/happyDomain/happyDomain/-/issues/new (check Confidential issue before submitting)

Please include:
- description of the vulnerability
- steps to reproduce
- potential impact


## Disclosure policy

We follow a responsible disclosure process.

After receiving a report we will:
1. acknowledge within 72 hours
2. investigate the issue
3. prepare a fix
4. publish a security advisory when the fix is available


## Safe Harbor

We consider security research conducted in good faith to be authorized. We will not pursue legal action against researchers who:
- Report vulnerabilities through the channels listed above
- Avoid accessing, modifying, or deleting data that doesn't belong to them
- Avoid degrading the availability of our services
- Do not publicly disclose the vulnerability before a fix is available


## Credits

We are happy to credit security researchers who responsibly disclose vulnerabilities.