# RFC 9116 — security.txt
# https://www.rfc-editor.org/rfc/rfc9116

Contact: mailto:security@auditrail.app
Contact: https://auditrail.app/legal/security
Expires: 2027-05-19T00:00:00.000Z
Preferred-Languages: en, fr
Canonical: https://auditrail.app/.well-known/security.txt
Policy: https://auditrail.app/legal/security
Acknowledgments: https://auditrail.app/legal/security#acknowledgments

# We take vulnerability reports seriously. A real human reads security@
# within 48 hours and you'll get a coordinated-disclosure timeline back.
# See the policy URL above for scope, rules of engagement, and reward
# tiers.

# In-scope:
#   - https://auditrail.app and all subdomains
#   - the Better Auth / magic-link / passkey / 2FA flows
#   - the /api/* surface
#   - the iCal feed (/api/cal/[token])
#   - the Stripe + SharePoint webhooks
#   - the R2-backed photo upload/download flow

# Out of scope (per policy):
#   - DoS / volumetric attacks
#   - social engineering of staff
#   - reports without a working proof of concept
#   - third-party SaaS vulnerabilities (report directly to the vendor)