# EduGPT.nl Security Contact Information
# This file follows the RFC 9116 standard for security.txt files
# Last updated: 2025-01-09

# === PRIMARY CONTACT INFORMATION ===
# For security vulnerabilities and incidents involving educational data
Contact: mailto:info@edugpt.nl
Contact: tel:+31-6-21991666
Encryption: https://edugpt.nl/.well-known/edugpt-security-key.asc
Policy: https://edugpt.nl/security-disclosure
Acknowledgments: https://edugpt.nl/security-hall-of-fame
Preferred-Languages: nl, en
Expires: 2026-01-31T23:59:59.000Z

# === EDUCATIONAL DATA PROTECTION NOTICE ===
# EduGPT.nl processes sensitive educational data including:
# - Student records (including minors)
# - Teacher and staff information
# - Academic assessments and grading data
# - Educational institution infrastructure details
#
# We handle vulnerabilities involving student or minor data with 
# the HIGHEST URGENCY in strict compliance with:
# - AVG/GDPR (Algemene Verordening Gegevensbescherming)
# - BIO 2.0 (Baseline Informatiebeveiliging Overheid)
# - NDS (Nederlandse Digitaliseringsstrategie)
# - EU AI Act
# - Wet op het onderwijstoezicht

# === SCOPE ===
# In-scope:
# - All *.edugpt.nl domains and subdomains
# - EduGPT mobile applications (iOS/Android)
# - API endpoints at api.edugpt.nl
# - Student/teacher authentication systems
# - Academic integrity monitoring tools
# - Data processing and storage systems
# - Integration points with school IT infrastructure
#
# Out-of-scope:
# - test.edugpt.nl, staging.edugpt.nl
# - Physical security of educational institutions
# - Social engineering of staff/students
# - Denial of Service (DoS/DDoS) attacks
# - Clickjacking on pages with no sensitive actions

# === RESPONSE COMMITMENT ===
# - Initial acknowledgment: Within 24 hours
# - Initial assessment: Within 72 hours
# - Critical student data issues: Immediate escalation
# - Resolution timeline: Based on severity (Critical: 48h, High: 7d, Medium: 30d, Low: 90d)

# === PRIVACY & CONFIDENTIALITY ===
# We guarantee:
# - No retaliation against good-faith security researchers
# - Confidential handling of all reports
# - GDPR-compliant processing of reporter information
# - Coordination with affected educational institutions when required
# - Protection of researcher identity unless disclosure is requested

# === RECOGNITION PROGRAM ===
# We value researchers who help protect Dutch students' privacy and academic integrity.
# Qualifying reports may receive:
# - Public acknowledgment (with permission)
# - EduGPT Security Researcher certificate
# - Priority support for responsible disclosure
# - Invitation to our annual EdTech Security Summit

# === REPORTING GUIDELINES ===
# Please include in your report:
# 1. Type of vulnerability
# 2. Affected component/URL
# 3. Potential impact on students/teachers
# 4. Steps to reproduce
# 5. Proof of concept (if applicable)
# 6. Your recommendations for mitigation

# === LEGAL SAFE HARBOR ===
# We consider security research conducted according to this policy as:
# - Authorized under the Computer Fraud and Abuse Act (CFAA)
# - Exempt from DMCA claims
# - Conducted in good faith
# - Protected under Dutch cybersecurity research laws

# === CONTACT FOR URGENT STUDENT SAFETY ISSUES ===
# For immediate threats to student safety or data:
# Emergency: +31-6-21991666 (available during business hours)
# Email escalation: info@edugpt.nl

# Canonical URLs
Canonical: https://edugpt.nl/.well-known/security.txt
Canonical: https://edugpt.nl/security.txt

# This file is maintained by CivAI B.V. i.o.
# For updates to security contact information, please contact info@edugpt.nl