# Cloudron Security Policy
Contact: mailto:security@cloudron.io
Expires: 2030-06-01T12:00:00.000Z
Preferred-Languages: en

# Bug Bounty & Compensation Policy
# Please note: Cloudron does not offer monetary rewards, bug bounties, or swag for vulnerability submissions.
# If your report was generated under the assumption of financial compensation, please consider this notification that no payment will be issued. 
# If you are an ethical researcher reporting an issue in good faith to protect our users, we sincerely thank you. 
# Our team will review your technical proof-of-concept (PoC) and respond within 3 business days if we require further details.

# Demo Instance Restrictions
# Please note: Testing or submitting vulnerability reports regarding our public demo instance is strictly prohibited and will not be accepted. 
# All security research must be conducted exclusively on your own self-hosted, isolated installation of Cloudron.

# Security Issue Reporting
# To report an issue, please email security@cloudron.io with the following details:
# 1. Product version
# 2. A vulnerability description
# 3. Reproduction steps
# 4. Your preferred attribution details (e.g., name, website link, or profile) if you wish to be credited.
#
# A member of the security team will confirm the vulnerability, determine its impact, and develop a fix. 
# The fix will be applied to the master branch, tested, and packaged in the next security release. 
# Valid and responsible disclosures will be publicly acknowledged in our official release blog post.
# The vulnerability will be publicly announced after the release.

# Responsible Disclosure Guidelines
# The Cloudron community kindly requests that you comply with the following guidelines:
# - Only test for vulnerabilities on your own install of Cloudron.
# - Confirm the vulnerability applies to a supported product version.
# - Share vulnerabilities in detail only with the security team.
# - Allow reasonable time for a response from the security team.
# - Do not publish information related to the vulnerability until Cloudron has made an announcement to the community.

# Supported Product Versions
# Cloudron follows a rolling release schedule, thus we do not currently have LTS versions. 
# The latest version published for updates is the currently supported version. 
# We will not support any security issue backports to non-current versions, but will require the user to update to the latest version, where fixes will be applied.