# Security Policy for Clikkle
# This file provides information about our security practices and how to report vulnerabilities

# Contact Information
Contact: security@clikkle.com
Contact: https://clikkle.com/security/contact
Encryption: https://clikkle.com/.well-known/pgp-key.txt

# Security Team
Expires: 2025-12-02
Preferred-Languages: en, es, fr, de
Canonical: https://clikkle.com/.well-known/security.txt
Policy: https://clikkle.com/security/policy
Acknowledgments: https://clikkle.com/security/hall-of-fame
Hiring: https://clikkle.com/careers/security

# Vulnerability Reporting
We take security seriously at Clikkle. If you discover a vulnerability, please:

1. Do not exploit the vulnerability beyond what is necessary to demonstrate it
2. Do not share the vulnerability with others until it has been resolved
3. Provide detailed information about the vulnerability including:
   - Steps to reproduce
   - Potential impact
   - Suggested fix (if available)

# Response Time
- Initial response: Within 24 hours
- Investigation: Within 7 days
- Resolution: Within 90 days (depending on severity)

# Bug Bounty
We operate a responsible disclosure program. While we don't have a formal bug bounty program,
we recognize and thank security researchers who help us improve our security.

# Security Measures
- SOC 2 Type II certified
- Regular security audits
- Penetration testing
- Vulnerability scanning
- Bug bounty program participation
- Security training for employees

# Compliance
- GDPR compliant
- HIPAA ready
- PCI DSS compliant (for payment processing)
- ISO 27001 aligned

# Last Updated
Last updated: 2024-12-02
Next review: 2025-06-02