# Aurelius security disclosure policy
# Per RFC 9116. If you've found a security issue, thank you. Please follow
# the contact + scope below before publicly disclosing.

Contact: mailto:security@aurelius.work
Expires: 2027-05-22T00:00:00.000Z
Preferred-Languages: en
Canonical: https://aurelius.work/.well-known/security.txt
Policy: https://aurelius.work/security.html
Acknowledgments: https://aurelius.work/security.html#acknowledgments

# Scope: aurelius.work and *.aurelius.work, including /api/* endpoints.
# Out of scope: third-party services (Anthropic, Stripe, Turso, Vercel,
# Resend, Cloudflare) — report those upstream.
#
# Safe harbor: we will not pursue legal action against security researchers
# who report issues in good faith and within the scope above, do not access
# or modify data beyond what is necessary to demonstrate the issue, do not
# disrupt service, and give us a reasonable disclosure window (default: 90
# days from acknowledged receipt).
#
# Response SLA: acknowledgment within 5 business days. Triage + initial
# response within 10 business days. Coordinated disclosure target: 90 days.