Contact: mailto:security@1f.ai
Expires: 2027-12-31T23:59:59.000Z
Encryption: https://1f.ai/.well-known/pgp-key.txt
Acknowledgments: https://1f.ai/security/acknowledgments
Preferred-Languages: en
Canonical: https://1f.ai/.well-known/security.txt
Policy: https://1f.ai/security/policy

# Responsible disclosure
# We appreciate reports of security issues. Please email security@1f.ai
# with reproduction steps. We respond within 72 hours and aim to remediate
# critical issues within 7 days. We will publicly credit researchers (with
# permission) on /security/acknowledgments after the fix ships.
#
# In scope:
#   - 1f.ai web app, API, WebSocket stream
#   - Authentication, billing, and case-management flows
#   - Stripe webhook handler, signing-key validation
#
# Out of scope:
#   - Reports requiring physical access, social engineering, or DDoS
#   - Automated scanner output without exploitable proof
#   - Issues in third-party dependencies already disclosed upstream