# Brainiall Security Policy
# RFC 9116 compliant security.txt
# https://securitytxt.org

Contact: mailto:security@brainiall.com
Contact: mailto:fabiosuizu@gmail.com
Expires: 2027-05-02T00:00:00Z
Encryption: https://chat.brainiall.com/.well-known/pgp-key.txt
Acknowledgments: https://chat.brainiall.com/security/acknowledgments
Preferred-Languages: en, pt-BR, es
Canonical: https://chat.brainiall.com/.well-known/security.txt
Policy: https://chat.brainiall.com/security
Hiring: https://chat.brainiall.com/jobs

# Scope:
# In-scope: chat.brainiall.com, api.brainiall.com
# Out-of-scope: jurai.pro (separate project, separate infrastructure)
#
# Bug bounty: We are an early-stage startup ($0 MRR currently) so cannot
# offer monetary rewards yet. We DO offer:
# - Public acknowledgment in our security/acknowledgments page
# - 12 months free Brainiall Pro Team plan ($1,188 value)
# - Direct introduction to relevant industry contacts
#
# Severity guidelines:
# Critical (RCE, auth bypass, full data leak): 24h response, fix < 7 days
# High (SQL injection, XSS, IDOR): 48h response, fix < 14 days
# Medium (CSRF, info leak): 72h response, fix < 30 days
# Low (best practice deviations): 7-day response, no SLA on fix
#
# Out-of-scope vulnerabilities:
# - Self-XSS that requires user pasting payload into devtools
# - Missing security headers without demonstrated impact
# - Theoretical CSRF on logout endpoints
# - Rate limit bypass without demonstrated impact
# - Exposed source code (we open-source SDK examples intentionally)
#
# Safe harbor: Good faith security research will NOT result in legal
# action. We commit to following industry-standard responsible disclosure
# norms and acknowledging researchers who help us improve.