# Security

## Security Disclosure Policy

We take the security of our applications seriously. If you believe you have discovered a security vulnerability, we encourage you to report it to us responsibly.

### How to Report

Please send your findings to **security@chief.app** and include:

- A description of the vulnerability
- The affected applications or components
- Steps to reproduce the issue
- Any relevant screenshots or proof-of-concept code
- Your contact information (optional, but helpful for follow-up questions)

If you prefer to use PGP for secure communication, our public key is available from our [security.txt](https://chief.app/.well-known/security.txt).

### What to Expect

- We will acknowledge receipt of your report within 5 business days
- We will investigate and work to address confirmed vulnerabilities promptly
- We will keep you informed of our progress where possible
- We ask that you give us reasonable time to address the issue before any public disclosure

### Guidelines

We ask that security researchers:

- Do not access, modify, or delete data belonging to others
- Do not disrupt or degrade our services
- Do not use automated scanning tools excessively
- Act in good faith and avoid privacy violations

### No Bug Bounty Program

**We do not operate a bug bounty or reward program.** We are grateful for responsible disclosure but are unable to offer financial compensation or other rewards for vulnerability reports. By submitting a report, you acknowledge that you do so voluntarily with no expectation of payment.

### Safe Harbour

We will not pursue legal action against researchers who discover and report vulnerabilities in good faith, following the guidelines above.