{"policy_version":"1.0","organization":{"name":"Internal Security Engineering","legal_name":"Internal Security Engineering","psirt_contact":"psirt@example.com","submission_url":"https://cradar-demo.hr-st.com.tw/security/submit","preferred_languages":["en","zh-Hant"]},"scope":{"in_scope":["Products listed at the vendor's public catalog (/lookup).","Latest GA release and the immediately previous release of each product.","First-party services run by the organization at production endpoints."],"out_of_scope":["Social-engineering attacks against staff or supply-chain partners.","Physical attacks against vendor or customer facilities.","Denial-of-service attacks that interrupt customer service.","Findings depending on outdated browsers (>2 versions old) or unsupported OS.","Reports generated solely by automated scanners without exploit demonstration."]},"reporting_channels":[{"type":"email","value":"psirt@example.com","pgp":""},{"type":"web_form","value":"https://cradar-demo.hr-st.com.tw/security/submit"}],"sla":{"acknowledge_days":5,"initial_response_days":10,"default_disclosure_window_days":90,"disclosure_window_note":"Default 90-day coordinated disclosure window can be extended by mutual agreement for complex vulnerabilities; researchers may request shorter timelines for actively exploited issues."},"safe_harbor":{"offered":true,"summary":"Researchers acting in good faith and respecting this policy will not face civil, criminal, or administrative action initiated by the vendor. Good faith requires: (1) testing only in-scope assets, (2) avoiding service disruption and data destruction, (3) not accessing data beyond what is necessary to prove impact, (4) reporting through the channels listed above before public disclosure."},"rewards":{"monetary":false,"non_monetary":["Public acknowledgment in the vendor's security advisories (if researcher consents)","Inclusion in the vendor hall-of-fame page (when configured)"]},"compliance":{"frameworks":["EU CRA (Regulation 2024/2847) Annex I Part II §2.5 + §2.6","ISO/IEC 29147:2018 — Vulnerability disclosure","ISO/IEC 30111:2019 — Vulnerability handling processes"]},"issued_at":"2026-06-10T08:44:43.484146+00:00"}