# Security Policy

## Reporting a Vulnerability

We take the security of SwapAd seriously. If you discover a security vulnerability, please help us by reporting it responsibly.

### How to report

Email us at **security@swapad.app** with:
- A clear description of the issue
- Steps to reproduce
- Potential impact
- Your contact information (we will credit you in our hall of fame unless you prefer anonymity)

**Please do NOT**:
- Open a public GitHub issue for security vulnerabilities
- Exploit the vulnerability beyond what is needed to prove it exists
- Access, modify, or delete data that doesn't belong to you

### Our commitment

- **Acknowledgement** within 48 hours
- **Initial assessment** within 5 business days
- **Fix timeline** shared within 7 business days based on severity
- **Public credit** if you wish (or full anonymity)

### Scope

**In scope**:
- `swapad.app` and all subdomains
- The Next.js application and API routes
- Authentication, authorization, and billing flows
- Data handling and RGPD compliance

**Out of scope**:
- Denial of Service (DoS) attacks
- Social engineering of our team
- Physical security
- Third-party services (Supabase, Stripe, fal.ai, OpenAI) — report directly to them
- Issues in development / staging environments

### Preferred severity classification

We use CVSS 3.1. Reports without clear impact or proof of concept will be triaged as INFO.

### Safe harbor

Good-faith security research conducted according to this policy will not result in legal action from Noviantis Inc. We will not pursue civil or criminal action against researchers who:
- Follow this policy
- Avoid privacy violations, data destruction, or service disruption
- Give us reasonable time to respond before disclosing publicly

---

_Last updated: 2026-04-22_
_Company: Noviantis Inc, Miami FL, USA_