# DLTD security disclosure policy
# Per RFC 9116 — https://www.rfc-editor.org/rfc/rfc9116

Contact: mailto:security@dltd.app
Contact: https://dltd.app/security
Expires: 2027-01-01T00:00:00.000Z
Preferred-Languages: en
Canonical: https://dltd.app/.well-known/security.txt
Policy: https://dltd.app/trust

# Reporting a vulnerability
#
# We acknowledge reports within 24 hours and patch critical issues within 7 days.
# Please include reproduction steps, affected URL(s), and your contact info.
#
# We do NOT have a paid bug bounty program. We DO maintain a public hall of
# fame for confirmed reports. Severity-rated swag for high-impact findings.
#
# Out of scope (do not report — these are intended behavior):
#   - Missing security headers on /_next/static/* (Next.js owns these)
#   - Account enumeration via the password-reset flow (Supabase-managed)
#   - Rate limiting on public marketing pages
#   - Stripe checkout iframe behavior (handled by Stripe)
#
# In scope:
#   - Any path under /api/*
#   - Authentication / session / cookie issues
#   - Authorization bypass against another user's data
#   - Information disclosure (PII, broker data, audit logs)
#   - CSRF / SSRF / open redirect / cache poisoning
#   - Anything that breaks our published privacy claims at /privacy