Update SECURITY.md

SECURITY.md

@@ -2,8 +2,18 @@
 STAYAWAY COVID applications and services are based on the DP3T approach to proximity tracing, aiming at minimising the information that is collected to achieve its goal: Helping to reduce transmission and, in the end, making all our lives better.
 Privacy and security are therefore our number one concern. If you believe you have found a security vulnerability in this repository, in the DP3T software packages, or in any of the packages that we use, please report it to us as described below.
 
+# Out of scope
+The following situations and circumstances will be considered out of the scope of this vulnerability disclosure policy and thus not considered as appropriate according to the common responsible disclosure procedures:
+- Exploit vulnerabilities or use techniques that may lead to degradation or denial of service;
+- Use of means and resources that are disproportionate and inadequate to prove identified vulnerabilities;
+- Conduct physical security tests, use social engineering techniques, spam or phishing as well as extend testing to third-party applications even if they are being used by the STAYAWAY COVID applications;
+- Human resources exploitation;
+- Use of identified vulnerabilities or errors to access data beyond what is strictly necessary for its verification;
+- Erasing or modifying data.
+
+
 # Reporting Security Issues
-Please do not report security vulnerabilities through public GitHub issues.
+**Please do not report security vulnerabilities through public GitHub issues.**
 Instead, please report them to INESC TEC at [email protected]. You should receive a response within 24 hours. If for some reason you do not, please follow up via email to ensure we received your original message. Please include as much information as you can provide to help us better understand the issue.
 
 # Credits