Contact: mailto:security@hopsapp.nl
Contact: mailto:hello@hopsapp.nl
Expires: 2027-05-16T00:00:00.000Z
Preferred-Languages: nl, en
Canonical: https://hopsapp.nl/.well-known/security.txt
Policy: https://hopsapp.nl/beveiliging

# PGP encryption: not yet provisioned. We accept plain-text reports
# at the contacts above (TLS-protected in transit by your mail
# provider's SMTP). A PGP key for sensitive reports will be added at
# /.well-known/pgp-key.asc when generated — see operator runbook at
# docs/runbooks/pgp-key-setup.md.

# Maison Hops · Coordinated Vulnerability Disclosure
#
# We welcome reports from security researchers. If you have found a
# vulnerability in any *.hopsapp.nl property, please email the contacts
# above. Include enough detail to reproduce; we will acknowledge within
# 72 hours and aim to remediate within 30 days for high-severity issues.
#
# In scope:
#   - hopsapp.nl, www.hopsapp.nl   (marketing site)
#   - login.hopsapp.nl             (SSO + tenant entry)
#   - app.hopsapp.nl               (tenant landing)
#   - {tenant-slug}.hopsapp.nl     (tenant subdomain)
#   - {module}.hopsapp.nl          (module subdomains: rooster, fooi, …)
#
# Out of scope:
#   - Social engineering of staff or customers
#   - Physical access to office or hardware
#   - DDoS / volumetric attacks
#   - Findings on third-party services we depend on (Microsoft Azure,
#     Cloudflare, Stripe) — please report those upstream first.
#
# We do not currently run a paid bug bounty programme but credit
# researchers in this file's history on request.
#
# Compliance posture: see https://hopsapp.nl/beveiliging
# Audit-binder (technical evidence: per-norm mapping to file paths +
# commits) available on request to security@hopsapp.nl under NDA.
# Frameworks covered: NEN 7510, NEN 7513, BIO 1.04, ISO 27001:2022,
# SOC 2, AVG/GDPR, NIS2. Stage: technical controls live, external
# certs gated on first LOI from each market.