# TaxItEasy security contact (RFC 9116)
# https://taxiteasy.org/.well-known/security.txt

Contact: mailto:security@taxiteasy.org
Contact: https://taxiteasy.org/security.html#disclosure
Expires: 2027-04-29T00:00:00.000Z
Preferred-Languages: en, de
Canonical: https://taxiteasy.org/.well-known/security.txt
Policy: https://taxiteasy.org/security.html#disclosure
Acknowledgments: https://taxiteasy.org/security.html#hall-of-fame

# Scope:
#   - taxiteasy.org and all sub-domains
#   - app.taxiteasy.org (web app)
#   - api.taxiteasy.org (REST API)
#   - in.taxiteasy.org (inbound email)
#
# Out of scope:
#   - Vendor-side issues on Anthropic, Stripe, DigitalOcean, Cloudflare, Resend
#     (please report to the respective vendor)
#   - Social-engineering against staff
#   - Physical security
#
# Response targets:
#   - First reply within 48 hours
#   - Severity classification within 5 business days
#   - Fix or mitigation timeline communicated within 10 business days
#
# We do not currently run a paid bug bounty. We acknowledge reporters who
# follow responsible disclosure on our Hall of Fame page (see Acknowledgments).