# Ancilla — responsible disclosure policy
# https://ancilla.live/.well-known/security.txt
# Per RFC 9116.

Contact: mailto:security@ancilla.live
Expires: 2027-05-24T00:00:00Z
Preferred-Languages: en
Canonical: https://ancilla.live/.well-known/security.txt

# What we want
# - Report responsibly. Give us a reasonable disclosure window
#   (default 90 days) before public publication.
# - Include reproduction steps and impact.
# - We will acknowledge receipt within 72 hours.
#
# What we promise
# - We won't sue you for honest disclosure.
# - We will credit you publicly unless you ask us not to.
# - We will keep you informed of fix timing.
#
# What's out of scope (pre-release)
# - Bugs in unpublished code (we'll fix; nothing to disclose yet).
# - Issues that require physical access to a host already trusted by the owner.