# Veacon Vulnerability Disclosure Policy
# RFC 9116 — https://www.rfc-editor.org/rfc/rfc9116
#
# 보안 취약점을 발견하셨다면 아래 채널로 보고해 주세요.
# Coordinated disclosure 원칙을 따르며, 책임 있는 보고에 대해
# 감사드립니다. 정식 bug bounty 프로그램은 cohort 1 traffic 후 도입 예정.

Contact: mailto:hello@veacon.io
Contact: https://veacon.io/trust
Expires: 2027-04-26T00:00:00Z
Preferred-Languages: ko, en
Canonical: https://veacon.io/.well-known/security.txt
Policy: https://veacon.io/security

# Scope:
#   - https://veacon.io and *.veacon.io subdomains
#   - https://api.veacon.io endpoints (currently routed via veacon.io)
#
# Out of scope:
#   - Third-party processors (Vercel, Supabase, Stripe, Sentry, Upstash) —
#     report to those vendors directly. Veacon's sub-processor list at
#     https://veacon.io/trust#sub-processors links each one's own DPA /
#     security contact.
#
# Response timeline:
#   - Initial acknowledgement within 48 hours
#   - Triage + severity assessment within 5 business days
#   - Critical fix or mitigation within 14 days
#
# Hall of Fame:
#   - Pending first valid report. Public credit (with researcher consent)
#     once the first patch ships.