# Heardley security disclosure
# https://heardley.com/security.txt
# RFC 9116 compliant

Contact: mailto:support@heardley.com
Expires: 2027-12-31T23:59:59.000Z
Preferred-Languages: en
Canonical: https://heardley.com/security.txt
Policy: https://heardley.com/legal/terms
Acknowledgments: https://heardley.com/security.txt

# Scope:
#   *.heardley.com (web app, dashboard, API, webhook endpoint).
#
# In-scope vulnerabilities we want to hear about:
#   - Auth bypass, session fixation, account takeover
#   - SQL injection, command injection, deserialization bugs
#   - SSRF, RCE
#   - Cross-tenant data leaks (one Heardley user seeing another's data)
#   - Stripe webhook signature bypass, billing tampering
#   - Subdomain takeover
#   - Stored XSS in dashboard rendering
#
# Out of scope:
#   - Missing security headers without proof of exploitability
#   - Self-XSS or social engineering of staff
#   - Rate-limit / brute-force findings on /auth/login (already rate-limited)
#   - Outdated library versions without a working PoC against this deployment
#   - DoS / volumetric attacks
#
# Disclosure expectations:
#   - Please give us 90 days to fix before public disclosure.
#   - We don't run a paid bounty but happily credit researchers on this page
#     and provide written validation for resumes/portfolios.
#   - First valid critical finding receives a free Heardley Lifetime license.