# Binnacle AI — Vulnerability Disclosure
# Per RFC 9116 (https://securitytxt.org/)
# This file lives at https://binnacleai.com/.well-known/security.txt

Contact: mailto:security@binnacleai.com
Contact: mailto:fjordsadventures@gmail.com
Expires: 2027-05-08T00:00:00.000Z
Preferred-Languages: en
Canonical: https://binnacleai.com/.well-known/security.txt
Policy: https://binnacleai.com/trust#vulnerability-disclosure
Hiring: https://binnacleai.com/careers

# Scope
# In scope:
#   - binnacleai.com (production application)
#   - api.binnacleai.com (alias for binnacleai.com)
#   - All /api/v1/* and /api/public/v1/* endpoints
#   - All authenticated dashboard routes under /dashboard, /admin, /boat
#
# Out of scope:
#   - Subprocessor systems (Stripe, Cloudflare, Vultr, Anthropic, Resend, Sentry)
#   - Third-party libraries (report upstream)
#   - Marketing site DDoS / rate-limit testing
#   - Anything requiring social engineering of personnel

# How to report
# Email security@binnacleai.com with:
#   1. Affected URL or endpoint
#   2. Vulnerability description
#   3. Steps to reproduce
#   4. Impact assessment (your view)
#   5. Optional: PoC, CVE if known
#
# We acknowledge within 2 business days. We do not currently offer a
# bug bounty but credit researchers in /trust + /changelog if they
# wish.

# Safe harbor
# We will not pursue legal action for good-faith research that:
#   - Avoids privacy violations (no exfiltration of customer data)
#   - Does not disrupt service for other customers
#   - Does not access any account that is not the researcher's own
#   - Reports only after attempting responsible disclosure