# BambooPaper.in — security disclosure
# RFC 9116 (https://www.rfc-editor.org/rfc/rfc9116).
#
# If you've found a vulnerability — anything from XSS or SSRF on the
# storefront, to leakage of admin / customer / order data, to a broken
# rate-limit or webhook signature bypass — please report it via the
# contact below. We acknowledge within 2 business days and aim to ship
# a fix or mitigation within 14 days for high-severity issues.
#
# Out of scope:
#   · Reports against generated PDF invoices, MSDS, or marketing PDFs
#   · Self-XSS that requires the user to paste code into their console
#   · Missing rate-limit headers on bots / scrapers
#   · DMARC / SPF / DKIM weakness on outbound transactional email
#   · Best-practice nags from automated scanners without a working PoC
#
# We currently do NOT operate a paid bug-bounty programme. Public
# acknowledgement on the site security-credits page is offered with the
# reporter's permission for valid in-scope findings.

Contact: mailto:security@bamboopaper.in
Contact: https://bamboopaper.in/contact/
Expires: 2027-12-31T23:59:59.000Z
Preferred-Languages: en, hi
Canonical: https://bamboopaper.in/.well-known/security.txt
Policy: https://bamboopaper.in/security/
Acknowledgments: https://bamboopaper.in/security-credits/