# Security policy for Bee — RFC 9116
# https://www.rfc-editor.org/rfc/rfc9116

Contact: mailto:bee-security@cuilabs.io
Contact: mailto:bee-abuse@cuilabs.io
Expires: 2027-04-26T00:00:00.000Z
Preferred-Languages: en
Canonical: https://bee.cuilabs.io/.well-known/security.txt
Policy: https://bee.cuilabs.io/legal/security
Hiring: https://bee.cuilabs.io/contact

# Reporting guidelines
#
# Please include:
#   - Steps to reproduce
#   - Affected endpoint, account, or version
#   - Impact assessment (what an attacker could do)
#
# We aim to acknowledge reports within 24 hours and provide a fix or
# mitigation timeline within 5 business days for confirmed vulnerabilities.
# Coordinated disclosure is appreciated; please give us at least 90 days
# before public release unless the issue is being actively exploited.
#
# Out of scope:
#   - Denial-of-service attacks
#   - Social engineering of CUI Labs employees
#   - Physical security
#   - Issues in third-party dependencies that we have already reported
#     upstream (please verify before reporting)