# Littlab — Security disclosure policy
# RFC 9116 compliant — https://www.rfc-editor.org/rfc/rfc9116
#
# If you have found a security vulnerability affecting littlab.com,
# the Littlab Android app or any Littlab service, please contact us
# via the email below. We respond within 48 hours on business days.

Contact: mailto:security@littlab.com
Contact: https://littlab.com/contact

# Until 2027-05-17 — re-issue this file before expiry.
Expires: 2027-05-17T00:00:00.000Z

# We accept reports in English and French.
Preferred-Languages: en, fr

# Our security and privacy policies (no separate vulnerability disclosure page yet).
Policy: https://littlab.com/privacy
Policy: https://littlab.com/legal

# Canonical URL of this file.
Canonical: https://littlab.com/.well-known/security.txt

# Scope:
#   - littlab.com and all its subdomains
#   - Littlab Android application
#   - Any official Littlab API endpoint (api.littlab.com, app.littlab.com)
#
# Out of scope:
#   - Third-party services (Cloudflare, Resend, Google Play, etc.)
#   - Volumetric DoS (please report to Cloudflare directly)
#   - Social engineering, physical attacks
#
# We do not currently run a paid bug bounty programme, but we
# acknowledge responsible disclosures publicly (with your consent)
# and offer hall of fame credit.