# Marturia — security disclosure policy (RFC 9116)
#
# Found a vulnerability or want to discuss responsible disclosure?
# Email Gabriel directly — he reads every message.

Contact: mailto:gabriel@marturia.dev
Contact: https://marturia.dev/
Expires: 2027-05-14T00:00:00.000Z
Preferred-Languages: en
Canonical: https://marturia.dev/.well-known/security.txt
Policy: https://marturia.dev/.well-known/security-policy
Acknowledgments: https://marturia.dev/.well-known/security-acks

# Scope: marturia.dev and all subdomains.
# Out of scope: contractorclaw.app (separate product, separate disclosure
# channel at security@contractorclaw.app).
#
# Closed beta — fast triage for anything that affects:
#   - Cryptographic integrity (signatures, hash chain, public keys)
#   - Cross-tenant data access
#   - Authentication / authorisation bypass
#   - Receipt tampering or replay
#
# No bug bounty cash yet (closed beta budget); we'll publicly credit
# legitimate disclosures on the acknowledgments page if you want it.