# Warrant — coordinated security disclosure policy
# RFC 9116. Plain text. Canonical at the URL below.

Contact: mailto:security@warrant.build
Expires: 2027-05-11T00:00:00Z
Preferred-Languages: en
Canonical: https://www.warrant.build/.well-known/security.txt
Policy: https://www.warrant.build/security
Acknowledgments: https://www.warrant.build/security#acknowledgments

# What we do
# - Triage every report sent to security@warrant.build within 5 business days.
# - Status update within 14 days. Fix or detailed plan within 90 days from triage.
# - Coordinated disclosure by default. CVE assignment for CVSS >= 4.0 or where a
#   published artefact is affected. Public acknowledgment for confirmed findings
#   on the policy page above.

# What we do NOT do
# - We do not operate a paid bug bounty. Acknowledgment is by name, not by payment.
# - We do not acknowledge or engage with reports that withhold reproduction
#   details until a payment promise. Send the full reproduction in the first
#   email or do not send.
# - We do not respond to template / beg-bounty solicitations that do not name
#   a specific endpoint and a specific reproducible finding.
# - We do not engage with reports that were generated by an automated scanner
#   without a manual analyst pass that confirms exploitability.

# In scope
# - warrant.build, www.warrant.build, api.warrant.build, app.warrant.build,
#   and any public artefact signed by the published Ed25519 keys.
# - Out of scope: rate-limit findings without an exploit chain, missing security
#   headers without a demonstrated exploit, banner / version disclosure,
#   social-engineering of staff, physical attacks.