# Security Policy for EverFold

## Reporting Security Issues

We take the security of our customers' data and our platform seriously. If you believe you've found a security vulnerability, we encourage you to report it to us responsibly.

## How to Report

Please send security reports to: **security@everfold.co.uk**

Include the following details in your report:
- Description of the vulnerability
- Steps to reproduce the issue
- Potential impact
- Suggested fix (if any)

## Our Commitment

- We will acknowledge receipt of your report within 48 hours
- We will investigate all legitimate reports promptly
- We will not take legal action against researchers who follow responsible disclosure
- We will credit researchers who help us improve our security (with their permission)

## Scope

The following are in scope:
- Our website (everfold.co.uk and related domains)
- Our API endpoints
- Customer data protection mechanisms
- Payment processing security

## Out of Scope

The following are NOT in scope:
- Denial of service attacks
- Social engineering attacks on our staff
- Physical security testing
- Third-party services not operated by EverFold

## Bug Bounty

While we do not currently offer a formal bug bounty program, we sincerely appreciate security researchers who help us keep our platform safe. We will consider appropriate recognition for significant findings.

## Security Measures

We employ the following security measures:
- SSL/TLS encryption for all data in transit
- Secure payment processing via Stripe
- Regular security audits of our code
- Data minimisation practices
- GDPR compliance for customer data

Last updated: 2025-02-17
Contact: hello@everfold.co.uk