If you discover a security vulnerability in BetterGov.ph, please report it responsibly by emailing security@bettergov.ph.

When reporting, please include:

• A clear description of the vulnerability
• Steps to reproduce the issue
• Potential impact and severity
• Any relevant screenshots or proof-of-concept code (if applicable)

We will acknowledge your report within 48 hours and provide a more detailed response within 7 days, outlining our next steps.

This security policy applies to the BetterGov.ph website, its associated services, and any related infrastructure.

The following issues are considered out of scope for security reports:

• Scam & phishing attempts involving BetterGovPh services
• Physical security vulnerabilities
• Social engineering attacks
• Functional, UI, and UX bugs including:
  • Spelling mistakes
  • Formatting issues
  • Visual design inconsistencies
• Descriptive error messages
• HTTP error codes/pages
• Missing security headers without practical security impact
• Best practice recommendations without security impact
• Version disclosure without vulnerabilities
• Theoretical vulnerabilities without proof of exploitation

1. Initial Report:

   • Submit your vulnerability report via email
   • Include all necessary details and proof of concept
   • Our team will confirm receipt of your report

2. Review and Validation:

   • Our security team reviews the reported issue
   • We may ask for additional information or clarification
   • Valid reports will be confirmed and prioritized

3. Fix Development:

   • For confirmed vulnerabilities, we will:
     • Work on a fix via pull request
     • Invite you to collaborate if you're interested
     • Test the fix thoroughly
     • Coordinate the release timeline

• Credit in our security hall of fame
• Public acknowledgment (if desired)
• Detailed in our security advisories

• Do not disclose to others while under investigation
• Do not exploit the vulnerability for any purpose
• Do not access, modify, or delete data
• Provide reasonable time for resolution
• Follow responsible disclosure practices

We will not take legal action against you if you:

• Follow our disclosure guidelines
• Do not compromise user data
• Do not exploit vulnerabilities for malicious purposes
• Report vulnerabilities promptly and responsibly

For any security-related inquiries, contact us at security@bettergov.ph.