Effective Date: October 28, 2025

PHOCA, LLC (“PHOCA,” “we,” “us,” or “our”) is committed to keeping our website and users safe. We welcome good-faith reports of security vulnerabilities. This policy explains what’s in scope, how to report, what we ask of you, and how we’ll respond.

1. Scope
• In scope: Public web properties operated by PHOCA that link to this policy, including our informational site and its “Contact” and “Survey” forms.
• Out of scope: Third-party platforms or services we don’t control (e.g., hosting provider infrastructure, analytics vendors, form providers, CDNs), personal accounts not owned by PHOCA, and any property that does not link to or clearly fall under this policy.
• If you are unsure whether something is in scope, ask us before testing.

2. How to report a vulnerability
Send a private email to: info@phocaenergy.com

Subject line: “Security Report — [short summary]”
Please include:
• Affected URL(s) and clear, step-by-step reproduction instructions.
• Expected vs. actual behavior and the security impact (what could an attacker do?).
• Minimal proof-of-concept (PoC) demonstrating the issue without exfiltrating data.
• Any screenshots, request/response samples, and your test environment (browser, OS, tools).
• Your contact information for follow-up.
Do not publicly disclose the issue until we have confirmed remediation or mutually agree otherwise.

3. Our response targets (not a promise or contract)
• Acknowledge receipt within 2 business days.
• Provide a meaningful status update or path to resolution within 10 business days.
• Coordinate on disclosure timing once a fix is prepared or deployed.

4. Safe-harbor commitment (good-faith research)
If you: (a) comply with this policy; (b) make a good-faith effort to avoid privacy violations, service degradation, and data destruction; (c) do not access or retain more data than necessary to demonstrate the vulnerability; and (d) promptly report the issue to us and delete any data obtained, then PHOCA will not initiate legal action against you for your security research. This is not authorization to act on behalf of PHOCA or to access any data or systems beyond what is reasonably necessary to demonstrate the issue. Testing must halt immediately if you encounter personal information or sensitive data.

5. Rules of engagement (what’s prohibited)
Do not:
• Perform denial-of-service (DoS/DDoS), spam, brute force credential stuffing, or load tests.
• Execute or attempt social engineering, phishing, or physical intrusion.
• Access, modify, or download data that is not your own; no data exfiltration.
• Run automated scanning that could impact service stability.
• Use exploits that could lead to persistent compromise, lateral movement, or backdoors.
• Share, disclose, or monetize vulnerabilities or data prior to remediation.
• Test on third-party services or accounts not owned by PHOCA.

6. What findings are generally out of scope
• Self-XSS, clickjacking on non-sensitive pages, or CSRF on non-state-changing forms.
• Missing best-practice headers without demonstrable exploitability (e.g., X-Frame-Options on purely static pages).
• Open redirect with user-uncontrollable destination or no practical exploit chain.
• Rate-limiting or brute-force issues without realistic abuse scenario.
• SPF/DMARC/DKIM “soft” configuration suggestions without proven spoofing risk.
• Vulnerabilities that require a compromised device, rooted/jailbroken environment, or MITM without additional weakness on our side.
• Reports consisting only of automated scanner output without a working PoC.

7. Data handling expectations
• If you inadvertently access personal data, stop testing, do not store, share, or transfer it, and report immediately.
• Delete any test data obtained as soon as it is no longer needed to demonstrate the issue and confirm deletion upon request.

8. Recognition and rewards
At this time we do not offer a bug bounty or monetary rewards. With permission, we may acknowledge your contribution after remediation.

9. No confidentiality or employment relationship
Submitting a report does not create any confidentiality, employment, or contractor relationship with PHOCA. We may use any information you provide to remediate vulnerabilities and improve our security.

10. Updates to this policy
We may update this Responsible Disclosure policy from time to time. The Effective Date above reflects the most recent version.

11. Emergency contact
If you believe a vulnerability is actively being exploited or presents an immediate risk, please include “URGENT” in the email subject line and provide a short summary so we can triage quickly.