# Security Policy

## Reporting Security Vulnerabilities

We take security vulnerabilities seriously. If you discover a security issue, please report it responsibly.

### How to Report

**For ZenDiS Projects:**
Send your findings to [security@zendis.de](mailto:security@zendis.de) with:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
- Any suggested fixes (optional)

**For Upstream Projects:**
If the vulnerability is in an upstream component, please report it to the upstream project first.

### Response Timeline

- We acknowledge reports within 48 hours
- We aim to provide an initial assessment within 14 days
- We will keep you informed of our progress

### Coordinated Disclosure

We follow coordinated disclosure practices. After remediation, we jointly agree on the timing of any public announcement.

## SECURITY.md Template

Every ZenDiS project should include a SECURITY.md file. Use this template:

```markdown
# Security Policy

## Reporting Security Vulnerabilities

**For this project:** [Link to project's security contact or use ZenDiS default]

If you discover a security vulnerability, please report it responsibly.

### What we ask:
- Do not exploit vulnerabilities beyond the extent necessary
- Do not conduct social engineering, spam, or denial of service attacks
- Provide sufficient detail to reproduce the issue
- Include your contact information for follow-up

### What we promise:
- We will acknowledge your report within 48 hours
- We will respond with an initial assessment within 14 days
- We will keep you informed throughout the remediation process
- With your permission, we will credit you in our Hall of Fame (if desired)
```

## Security Contact

- **ZenDiS Security Team:** security@zendis.de
- **PGP Key:** https://zendis.de/.well-known/product-security.asc