# Security disclosure policy — Pattaya School Guide
# Per RFC 9116. Last updated 2026-05-18.

Contact: mailto:info@pattaya-school-guide.com
Expires: 2027-05-18T00:00:00.000Z
Preferred-Languages: en, th
Canonical: https://pattaya-school-guide.com/.well-known/security.txt
Policy: https://pattaya-school-guide.com/editorial-standards/

# Out-of-scope:
# - Theoretical attacks without working proof of concept.
# - Reports based on outdated browsers or unsupported configurations.
# - DoS / volumetric attacks (handled by Cloudflare).
# - Social engineering of staff.
#
# In-scope:
# - XSS / CSRF / SSRF in any production page.
# - Subdomain takeover.
# - Sensitive data exposure (we collect almost none, but report anyway).
# - Misconfigured CSP / CORS / cookie flags.
# - Account / authentication issues (we have no user accounts — report anyway if you spot one being added accidentally).
#
# We don't run a paid bounty program. We're a one-person editorial publication.
# Genuine, polite, helpful reports get a thank-you reply within 48 hours and the fix
# shipped as soon as it's verified. Credit in the changelog on request.