# Kapy Security Contact (RFC 9116)
# https://kapy.ch/security.html

Contact: mailto:security@kapy.ch
Contact: https://kapy.ch/kontakt.html
Expires: 2027-04-30T23:59:59z
Preferred-Languages: de, en
Canonical: https://kapy.ch/.well-known/security.txt
Policy: https://kapy.ch/security.html#disclosure
Acknowledgments: https://kapy.ch/security.html#disclosure

# If you have discovered a security vulnerability in any Kapy product
# (kapy.ch, api.kapy.ch, the Liefersoftware desktop client, the
# Fahrer mobile app, or our embeddable widgets), please report it
# privately to security@kapy.ch before disclosing publicly.
#
# We aim to:
#   - acknowledge receipt within 48 hours
#   - provide a status update within 7 days
#   - publish a coordinated fix and (if you wish) credit you
#
# Out of scope:
#   - third-party services (Cloudflare, Hetzner, Infomaniak, Plausible)
#   - social engineering of Kapy staff or customers
#   - DoS / brute-force / spam attacks