Ceredigion Network is committed to protecting the privacy and security of our users. We welcome contributions from the cybersecurity community and encourage responsible vulnerability disclosure.

Scope

This policy applies to the following services:

• www.ceredigion.net and its subdomains
• Ceredigion Network APIs and web services
• Any other services administered by Ceredigion Network

Research Guidelines

When researching vulnerabilities, you should:

• Respect user privacy - Don't access, store, or disclose user data
• Avoid service disruption - Don't interrupt services or cause harm
• Act lawfully - Stay within terms of service and applicable law
• Disclose responsibly - Give us a chance to resolve issues before public disclosure

Out of Scope

The following are not part of this policy:

• Social engineering attacks (e.g., phishing, pretexting)
• Distributed denial of service (DDoS) attacks
• Spam or mass email campaigns
• Physical security findings
• Third-party services we don't control

How to Report

If you've discovered a security vulnerability:

1. Email us atinfo@ceredigion.net
2. Use PGP encryption for sensitive messages (download public key)
3. Provide details - Reproduction steps, impact, and proof of concept if possible
4. Give us time - Allow 90 days for resolution before public disclosure

Our Commitment

When you report a vulnerability responsibly, we promise to:

• Acknowledge receipt within 48 hours
• Provide regular updates on resolution progress
• Work with you to understand and remediate the issue
• Give credit on our Hall of Fame (if you wish)
• Not pursue legal action for research complying with this policy

Response Timeline

• Initial acknowledgment: Within 48 hours
• Triage assessment: Within 5 business days
• Progress updates: At least every two weeks
• Resolution timeline: Depends on severity (30-90 days)