# Security policy — AutoDealerPro Contact: mailto:security@autodealerpro.io Contact: https://autodealerpro.io/security Expires: 2027-05-01T00:00:00.000Z Encryption: https://autodealerpro.io/.well-known/pgp-key.asc Preferred-Languages: en Canonical: https://autodealerpro.io/.well-known/security.txt Policy: https://autodealerpro.io/security Acknowledgments: https://autodealerpro.io/security/hall-of-fame # Reporting # We respond to all credible reports within 1 business day. # Critical vulnerabilities (RCE, full data exfil, auth bypass): 4 hours. # Please include reproduction steps, affected URL, and any user accounts # you used. Do not access data you didn't create unless minimally needed # to demonstrate the issue. # Out of scope # - Reports based on automated scanners with no proof of exploitability # - Missing security headers on internal-only paths # - Self-XSS, CSRF on logout # - Rate limits on public endpoints (we set them deliberately permissive)