# ScaneReport — Vulnerability Disclosure
# RFC 9116 — https://datatracker.ietf.org/doc/html/rfc9116
#
# Знайшли вразливість у scanereport.online або self-hosted інсталяції?
# Found a vulnerability in scanereport.online or a self-hosted install?
# Будь ласка, повідомте — без публічного розкриття до фіксу.
# Please report it privately before any public disclosure.

Contact: mailto:reposit0rgamedev@gmail.com
Contact: https://t.me/nknaumov
Expires: 2027-06-09T00:00:00.000Z
Preferred-Languages: uk, en
Canonical: https://scanereport.online/.well-known/security.txt
Policy: https://scanereport.online/security-policy

# What we care about
#   - Authentication / authorization bypass
#   - Server-side injection (SQLi, command, SSRF)
#   - Insecure-direct-object-reference / IDOR on /api/*
#   - Crypto weaknesses (SQLCipher, bcrypt config, TOTP, license signing)
#   - Anything that lets a tenant read another tenant's data
#   - Anything that lets a brigade worker read admin data
#
# Out of scope
#   - Self-XSS or brute-force without rate-limit bypass (we rate-limit /auth)
#   - Missing security headers on static landing pages
#   - Reports from automated scanners with no PoC
#   - Findings on test/staging subdomains
#
# Response targets
#   First reply:        ≤ 48 hours
#   Triage decision:    ≤ 7 days
#   Fix or workaround:  best effort, normally ≤ 30 days for high severity
#
# We're a one-person project — patience appreciated. Coffee preferred over money.