# Security Policy

## Reporting a Vulnerability

Report suspected security issues to `security@mreh.foundation`.

Please include:

- a clear description of the issue
- affected pages, assets, or repository paths
- steps to reproduce when relevant
- any supporting screenshots or logs that do not expose unnecessary sensitive data

## Response Expectations

MREH Foundation aims to:

- acknowledge credible reports within 3 business days
- assess impact and next steps in good faith
- coordinate remediation communication before public disclosure when appropriate

## Scope

This policy applies to:

- the static website in this repository
- repository configuration and published content
- supporting scripts or assets added in future revisions

## Safe Reporting

Please avoid:

- automated scanning that disrupts service availability
- social engineering, phishing, or physical intrusion attempts
- public disclosure before a reasonable remediation window has been discussed
- accessing, modifying, or retaining data beyond what is necessary to demonstrate the issue

## Notes

This repository is a static baseline. Production infrastructure, domain configuration, and mail
delivery settings should be reviewed separately as the organization’s operational footprint grows.