# Vulnerability disclosure policy for Exceptao (RFC 9116).
# If you believe you have found a security issue affecting Exceptao or the
# underlying multi-tenant platform, please email the address below.
# We acknowledge receipt within 2 business days and aim to triage within 5.

Contact: mailto:security@exceptao.com
Expires: 2027-05-14T00:00:00Z
Preferred-Languages: en, pl
Policy: https://exceptao.com/security
Acknowledgments: https://exceptao.com/security#acks
Canonical: https://exceptao.com/.well-known/security.txt

# We treat all reports as confidential. Coordinated disclosure is strongly
# preferred — please allow us reasonable time to remediate before any public
# disclosure. We do not currently operate a formal paid bug-bounty programme;
# cash rewards are considered on a case-by-case basis for high-severity findings
# while we evaluate Intigriti / HackerOne for 2026 H2.
#
# Good-faith security research conducted in accordance with this policy will not
# be met with legal action. See the Policy URL for the full safe-harbour terms.