docs: update security policy

Author: ovx

SECURITY.md

@@ -1,63 +1,57 @@
-# Security Vulnerability Disclosure Policy
+## Security Vulnerability Disclosure Policy
 
-We take security seriously and value the contributions of the security community. If you believe you have found a vulnerability in our services or software, we encourage you to report it responsibly so we can address it promptly.
+We take security seriously and value the contributions of researchers who act in good faith to help protect our users. If you believe you have found a vulnerability in our services or software, we encourage you to report it responsibly so we can address it promptly.
 
 ### Reporting a Vulnerability
 
-Please email your findings to published [security contacts](https://altcha.org/contact#reporting-security-issues).
+Please email your findings to our [security contacts](https://altcha.org/contact#reporting-security-issues).
 To ensure confidentiality, we recommend encrypting your report using our [PGP key](https://altcha.org/pgp/security-public-key.asc).
 
-Your report should include the following, where possible:
+Your report should include:
 
 * A clear description of the vulnerability.
 * A working proof of concept or detailed steps to reproduce the issue.
-* Any relevant logs, screenshots, or code snippets that support your findings.
+* Relevant logs, screenshots, or code snippets.
 
-We will acknowledge receipt of your report within 5 business days, and keep you informed about the progress of our investigation.
+We will acknowledge receipt of your report within 5 business days and keep you informed about our investigation.
 
 ### In-Scope
 
-We welcome reports that:
+We prioritize reports that demonstrate a real, actionable security risk to our software, services, or infrastructure, such as:
 
-* Demonstrate a real security risk (e.g., XSS, CSRF, SSRF, authentication bypass, privilege escalation, remote code execution, etc.).
-* Affect our software, services, or infrastructure directly under our control.
-* Include a valid proof of concept demonstrating how the vulnerability can be exploited.
+* Remote code execution (RCE)
+* Authentication bypass or privilege escalation
+* Server-side request forgery (SSRF)
+* Cross-site scripting (XSS) or CSRF with significant impact
 
 ### Out-of-Scope
 
-The following issues are generally not eligible for rewards, but we still welcome these reports as they help us improve overall security hygiene:
+To minimize automated noise, the following are generally excluded from our review process:
 
-* Reports from automated tools or scanners that lack actionable proof of exploitability.
-* Security recommendations or best practices such as missing HTTP security headers, TLS configurations, DNS records, or server banners.
-* Denial of service attacks that rely on large volumes of traffic.
-* Rate limiting, CAPTCHA strength, or content/spam flooding.
-* Clickjacking on pages without sensitive actions.
-* Bugs that require root/jailbroken devices or outdated browsers.
-* Issues in third-party services or libraries not managed by us.
+* Automated results: Reports generated by scanners that lack a manual, actionable proof of exploitability.
+* Configuration & Hygiene: Missing HTTP headers, TLS/SSL configurations, DNS records, or server banners.
+* Volume-based attacks: Denial of Service (DoS/DDoS) or rate-limiting issues.
+* Low-impact: Clickjacking on non-sensitive pages, or bugs requiring jailbroken devices/unsupported browsers.
+* Third-party: Issues in libraries or services not directly managed by us.
 
-While these may not be considered critical security vulnerabilities, we still care and may address them internally where appropriate. Your feedback helps us maintain a stronger security posture.
+### Responsible Disclosure Guidelines
 
-### Rewards
+To remain in good standing with our team, we ask that you:
 
-We may offer a discretionary reward (bounty) for valid, impactful reports that:
+* Do not publicly disclose vulnerabilities before we have confirmed a fix.
+* Do not access, modify, or delete data that does not belong to you.
+* Avoid any actions that could degrade or disrupt our services.
 
-* Are submitted responsibly and in good faith.
-* Are not the result of automated scanning.
-* Include a clear demonstration of how the issue can be exploited in practice.
+We appreciate the efforts of the security community in helping us maintain a safe environment.
 
-We do not offer rewards for:
+### Disclaimer
 
-* Reports generated solely through automated tools.
-* Vulnerabilities lacking a proof of concept.
-* Low-risk issues or theoretical attacks.
+This is a voluntary disclosure program rooted in the spirit of open-source collaboration. We operate this program to benefit the broader community and ensure the collective safety of our users. We do not offer any form of compensation for submitted reports. By submitting a report, you acknowledge that you are doing so without expectation of payment and waive any future claims for compensation.
 
-Reward amounts are determined at our discretion based on severity, impact, and quality of the report.
+### Related
 
-### Responsible Disclosure Guidelines
+* [Security Advisory](https://altcha.org/security-advisory)
 
-* Please do not publicly disclose vulnerabilities before we have had a chance to fix them.
-* Do not access, modify, or delete data that does not belong to you.
-* Avoid actions that could degrade or disrupt our services during testing.
-* Only test systems that are clearly part of our infrastructure.
+---
 
-We thank you for helping us keep our services safe and secure.
+Updated: Feb 4, 2026