# AuthenlySign Security Policy
# RFC 9116 Compliant - https://www.rfc-editor.org/rfc/rfc9116
# Last Updated: 2026-04-09

# Required Fields
Contact: mailto:security@authenlysign.com
Contact: https://authenlysign.com/security#contact
Expires: 2027-03-09T23:59:59.000Z

# Recommended Fields
Encryption: https://authenlysign.com/pgp-key.txt
Acknowledgments: https://authenlysign.com/security#hall-of-fame
Preferred-Languages: en
Canonical: https://authenlysign.com/.well-known/security.txt
Policy: https://authenlysign.com/security#vulnerability-disclosure
Hiring: https://authenlysign.com/careers#security

# Bug Bounty Program
# We offer rewards for responsible disclosure of security vulnerabilities.
# See https://authenlysign.com/security#bug-bounty for details.
#
# Rewards:
# - Critical: $500 - $2,000
# - High: $200 - $500
# - Medium: $50 - $200
# - Low: $25 - $50

# Scope
# In-scope targets:
# - *.authenlysign.com (all subdomains)
# - app.authenlysign.com (production application)
# - api.authenlysign.com (API endpoints)
# - Authentication and authorization
# - Document processing and storage
# - Electronic signature infrastructure
# - Payment processing (Stripe integration)
# - SIEM and audit log endpoints

# Out of Scope
# The following are NOT eligible for rewards:
# - Social engineering attacks
# - Physical security issues
# - Third-party services and libraries (report to vendors)
# - Denial of service attacks
# - Spam or social media abuse
# - Rate limiting issues
# - Missing security headers (unless exploitable)
# - Theoretical vulnerabilities without PoC

# Security Contact
# For urgent security issues, contact our security team:
# Primary: security@authenlysign.com
# PGP Key: https://authenlysign.com/pgp-key.txt
# PGP Fingerprint: XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX XXXX

# Disclosure Timeline
# Our commitment to security researchers:
# - Day 0: Report received and acknowledged within 24 hours
# - Day 1-7: Initial triage and validation
# - Day 7-30: Fix development and testing
# - Day 30-90: Deployment and verification
# - Day 90+: Coordinated public disclosure

# CAA Records
# Our domain is protected by CAA records restricting certificate issuance to:
# - letsencrypt.org
# - digicert.com
# - sectigo.com
# Verify: dig CAA authenlysign.com

# Compliance
# AuthenlySign maintains compliance with:
# - SOC 2 Type II (in progress)
# - GDPR (EU data protection)
# - HIPAA (healthcare data, when applicable)
# - eIDAS (electronic signatures)

# This file was generated on 2026-04-09
# Validate at: https://securitytxt.org/