# AtlasRisks responsible-disclosure policy
# https://atlasrisks.com/.well-known/security.txt
# RFC 9116

Contact: mailto:security@atlasrisks.com
Contact: https://atlasrisks.com/contact.html
Expires: 2027-05-17T00:00:00Z
Preferred-Languages: en
Canonical: https://atlasrisks.com/.well-known/security.txt
Policy: https://atlasrisks.com/help/security.html

# What's in scope:
#   - atlasrisks.com (and subdomains)
#   - /api/* endpoints
#   - the admin console at /admin
# What's out of scope:
#   - Stripe-hosted checkout / billing portal (report to Stripe)
#   - Subprocessors (Netlify, Resend, CARTO, OSM) — report to them directly
#
# We are a small team and we respond personally to every report. Please
# allow up to 5 business days for acknowledgment. Production-impacting
# issues will be acknowledged within 1 business day.
#
# We do not currently run a paid bug-bounty program but we acknowledge
# coordinated disclosures publicly (with researcher consent) in the
# /changelog after the fix ships.