Vulnerability Disclosure Policy

We welcome responsible security research and provide clear routes for disclosure.

Send reports to security@cyber-defence.local with detailed reproduction steps and impacted assets.
Out-of-scope testing includes physical attacks, social engineering, and denial-of-service attempts.
We acknowledge submissions within two business days and share remediation timelines after triage.
Coordinated disclosure is respected; public statements are agreed with the reporter where possible.
Proof-of-concept code must avoid accessing or altering customer data.