# SoloTrade - Security disclosure
# https://www.rfc-editor.org/rfc/rfc9116.html
#
# Update Expires every 12 months when the line below is regenerated.
# When this file is updated, also update docs/runbooks/CREDENTIAL_ROTATION.md
# and the /security/responsible-disclosure page.
#
# 2026-05-05: corrected canonical/contact URLs from solotrade.app
# (which is not operator-controlled - see OI-017) to solotrade.com.au.

Contact: mailto:security@solotrade.com.au
Contact: mailto:support@solotrade.com.au
Expires: 2027-05-05T00:00:00.000Z
Preferred-Languages: en
Canonical: https://solotrade.com.au/.well-known/security.txt
Policy: https://solotrade.com.au/security
Acknowledgments: https://solotrade.com.au/security#thanks

# We aim to acknowledge security reports within 2 business days and resolve
# critical issues within 14 days. We are a small team - patient, technical
# reports get fast traction.
#
# Out of scope:
#   - Reports relying on social engineering of the operator
#   - Reports on third-party services (Supabase, RevenueCat, Resend, Sentry,
#     Google Cloud - Document AI / Maps / Drive / Gmail / Play Integrity /
#     ML Kit, Upstash, Netlify, Expo Application Services, Apple App Store,
#     Google Play, Zoho Mail) - please report directly to the vendor
#   - Theoretical vulnerabilities without a demonstrable exploit
#
# In scope:
#   - Authentication / authorisation flaws
#   - Data exposure (PII, business records, receipt photos, OCR output,
#     OAuth refresh tokens for Drive / Gmail, voice notes)
#   - Privilege escalation
#   - Injection (SQL, command, etc.)
#   - Cryptography misuse
#   - Bypass of Row Level Security policies
#   - Bypass of Play Integrity in production Edge Functions
#
# We do not run a paid bounty program in v1. Public acknowledgment + a
# personal thank-you is what we can offer.