# Security disclosure for FixAEO — RFC 9116 compliant.
# Researchers can pick this up via https://fixaeo.com/.well-known/security.txt
# and contact us directly with vulnerabilities before disclosure.

Contact: mailto:security@fixaeo.com
Expires: 2027-01-01T00:00:00.000Z
Preferred-Languages: en
Canonical: https://fixaeo.com/.well-known/security.txt

# What's in scope:
#   * fixaeo.com and any subdomain (api.fixaeo.com, app subroutes)
#   * the public scan API endpoints
#   * the authenticated /app/* product surface
#
# What's out of scope (please don't test):
#   * denial-of-service attacks against the LLM-provider quotas
#   * social engineering of customers
#   * physical or wireless attacks
#   * stale information in cached AI engine responses (those are the
#     responses we're auditing, not our infrastructure)
#
# We aim to respond to verified reports within 5 business days and
# coordinate disclosure on a reasonable timeline. We do not currently
# operate a paid bug bounty, but we credit researchers (with their
# permission) and respond to every good-faith report.