This is the security policy for all Sunset Vacation repositories. The policy explains how vulnerabilities should be reported to the maintainers of our projects.

The Sunset Vacation team prefers responsible vulnerability disclosure. If you've found a vulnerability, we would like to know so we can fix it before it is announced publicly.

Do not open a GitHub issue for a found vulnerability.

Send details to admins@sunsetcity.bsoyka.me or through a Discord direct message to an admin of Sunset Vacation. You should include:

• a brief description of the vulnerability
• steps to exploit the vulnerability
• optionally the type of vulnerability and any related OWASP category

We will try to reply as soon as possible.

Please do not try to exploit vulnerabilities yourself on any live projects, especially if doing so could cause interruptions or errors for others.

Instead, we will look into the issue after receiving your report and will complete any necessary testing ourselves.

We may be willing to offer digital rewards in exchange for responsible and private vulnerability disclosures, provided the following requirements are met:

• You must not share any information regarding the vulnerability outside of private communication with Sunset Vacation admins.
• You must disclose the vulnerability in a timely manner after discovering it.
• The vulnerability must clearly affect the operation or usage of one of our projects.
• You must be a member of the Sunset Vacation Discord server.

We are not required to provide a bounty payment. If you are interested in a potential reward, please include your Discord user ID in your message. (If you send details via Discord, this is not necessary.)

We have a code of conduct for contributors, which you can find here: https://github.com/sunset-vacation/.github/blob/main/CODE_OF_CONDUCT.md