# AOSIQ — Security Disclosure Policy
# RFC 9116: https://www.rfc-editor.org/rfc/rfc9116

# Primary contact for security reports
Contact: mailto:security@aosiq.com

# This file expires one year from publication; a current version
# is always available at https://aosiq.com/.well-known/security.txt
Expires: 2027-05-09T20:21:16.000Z

# We acknowledge receipt within two business days. We aim to provide
# a substantive response (assessment, mitigation plan, or request for
# additional information) within seven business days.

# Please write reports in English when possible.
Preferred-Languages: en

# Canonical location of this policy
Canonical: https://aosiq.com/.well-known/security.txt

# Public policy and threat model
Policy: https://aosiq.com/threat-model.html

# We invite responsible disclosure on:
#   - Authentication or authorization bypass in the AOSIQ runtime
#   - Audit chain integrity issues (chain forging, anchor bypass)
#   - Capability token forgery, replay, or escalation
#   - Sandboxed code execution escapes
#   - Injection attacks not covered by current mitigations
#   - Any discrepancy between threat-model.html and shipped behavior
#
# We are particularly interested in reports that include a
# reproducible test case against a recent published release.
#
# We will not pursue legal action against researchers who:
#   - Make a good-faith effort to avoid privacy violations and
#     destruction or modification of data
#   - Give us reasonable time to investigate and address the issue
#     before public disclosure
#   - Do not exploit findings beyond the minimum necessary to
#     demonstrate the vulnerability
#
# We are a small team. We will respond to every report we receive,
# but we cannot offer monetary bounties at this time. Public
# acknowledgment is available on request.