# Composenz security policy (RFC 9116).
# We welcome reports from security researchers acting in good faith.

Contact: mailto:security@composenz.com
Contact: mailto:david@composenz.com

# We acknowledge every valid report within 72 hours.
# Acknowledgement-SLA: 72 hours

# Expires within 12 months of the last update (RFC 9116 §2.5.5).
# TODO(founder): refresh this date on each review; automate before it lapses.
Expires: 2027-06-12T00:00:00.000Z

Preferred-Languages: en
Canonical: https://composenz.com/.well-known/security.txt
Policy: https://composenz.com/security

# Encryption key for sensitive reports.
# TODO(founder): publish the PGP public key at the URL below and uncomment.
# Encryption: https://composenz.com/.well-known/pgp-key.txt

# Safe harbour: we will not pursue legal action against researchers who, in good
# faith, follow this policy — accessing only their own data or our demo data,
# avoiding privacy violations, service disruption, and data destruction, and
# giving us reasonable time to remediate before any disclosure. We do not run a
# paid bug-bounty program at this time.