vardesyn — Responsible Disclosure Policy
=========================================
Last updated: 2026-03-31

SCOPE
-----
This policy applies to vulnerabilities found on vardesyn.no and any
associated infrastructure operated by vardesyn.

IN SCOPE
--------
- vardesyn.no and its subdomains
- Any software or services developed and operated by vardesyn

OUT OF SCOPE
------------
- Third-party services or libraries not under our direct control
- Social engineering attacks against personnel
- Denial-of-service (DoS/DDoS) attacks
- Vulnerabilities requiring physical access to a device

HOW TO REPORT
-------------
Send findings to:  security@vardesyn.no
Encrypt reports using the public key at: https://vardesyn.no/pgp-key.txt

Please include:
  - Description of the vulnerability
  - Steps to reproduce (proof-of-concept if available)
  - Potential impact assessment
  - Your contact details if you wish to be acknowledged

RESPONSE TIMELINE
-----------------
  Acknowledgment:   within 2 business days
  Status update:    within 7 days
  Resolution target: within 30 days for critical issues

WHAT WE ASK
-----------
- Do not publicly disclose the issue until we have had the opportunity to fix it
- Do not access, modify, or delete data that does not belong to you
- Do not perform actions that could impact the availability of our services
- Act in good faith

WHAT YOU CAN EXPECT FROM US
----------------------------
- We will acknowledge your report promptly
- We will keep you informed of progress
- We will not take legal action against researchers acting in good faith
- We will credit you in our acknowledgments (if desired)

ACKNOWLEDGMENTS                                 #acknowledgments
---------------
We are grateful to the following researchers for responsible disclosure:

  (none yet — be the first)