# Bonfiyah Security Disclosure
# RFC 9116-conformant security.txt
# https://bonfiyah.com/.well-known/security.txt

Contact: mailto:security@bonfiyah.com
Contact: mailto:legal@bonfiyah.com
Expires: 2027-05-17T23:59:59-04:00
Preferred-Languages: en
Canonical: https://bonfiyah.com/.well-known/security.txt
Policy: https://bonfiyah.com/security-disclosure

# We welcome responsible disclosure from security researchers.
# Please email security@bonfiyah.com with:
#   - Clear vulnerability description
#   - Steps to reproduce
#   - Expected vs actual behaviour
#   - Your preferred name / handle for credit (or "anonymous")
#
# We respond within 72 hours (business days) and target a fix
# within 30 days for high-severity issues. We do not run a paid
# bug bounty programme yet (planned once ARR > $1M), but we will
# credit responsible disclosure publicly on our security page
# unless you ask for anonymity.
#
# Out of scope (please do not report):
#   - Rate-limit testing against production
#   - Brute-force / credential-stuffing simulations
#   - Denial-of-service (we have separate hardening guards)
#   - Findings in third-party services (AssemblyAI, Anthropic,
#     CloudKit, Stripe, Railway) — report directly to them.