# Vantage Digital LLC — Security Policy (RFC 9116)
# https://vantagedigital.dev/.well-known/security.txt

Contact: mailto:security@vantagedigital.app
Contact: mailto:legal@vantagedigital.app
Expires: 2027-05-02T23:59:00.000Z
Encryption: https://vantagedigital.dev/.well-known/pgp-key.txt
Preferred-Languages: en
Canonical: https://vantagedigital.dev/.well-known/security.txt
Policy: https://vantagedigital.dev/security
Acknowledgments: https://vantagedigital.dev/security#acknowledgments

# We welcome responsible disclosure of security vulnerabilities affecting:
#   - vantagedigital.dev (marketing site)
#   - cadence-app.netlify.app + branded coach domains running Cadence
#   - any Vantage Digital LLC service or sub-processor relationship
#
# Please:
#   - Email security@vantagedigital.app with technical details, reproduction steps, and impact.
#   - Allow up to 72 business hours for initial acknowledgment.
#   - Do not access, modify, or exfiltrate data beyond what is strictly necessary to demonstrate the vulnerability.
#   - Do not run automated scanners against production systems without prior coordination.
#   - Do not disclose publicly until we have had a reasonable opportunity to remediate (typically 90 days).
#
# We commit to:
#   - Acknowledge your report within 72 business hours.
#   - Provide a status update within 7 business days.
#   - Coordinate disclosure timing with you.
#   - Credit you publicly on /security#acknowledgments if you wish (or maintain your anonymity).
#   - Not pursue legal action against good-faith researchers operating within these guidelines.
#
# Out of scope:
#   - Social engineering of Vantage Digital employees, customers, or vendors.
#   - Physical attacks on Vantage Digital infrastructure.
#   - Denial-of-service testing.
#   - Vulnerabilities in third-party sub-processors (report directly to them).
#   - Self-XSS, missing CSP headers without demonstrable impact, missing best-practice headers without exploitability.