# EmailSavy security disclosure policy
# https://emailsavy.com/.well-known/security.txt
# Format: RFC 9116

Contact: mailto:emailsavy@startuptalky.com
Contact: https://emailsavy.com/contact
Expires: 2027-04-25T00:00:00.000Z
Preferred-Languages: en
Canonical: https://emailsavy.com/.well-known/security.txt
Policy: https://emailsavy.com/privacy

# Reporting guidelines
# - Please use the contact email above with subject "Security report".
# - Include reproduction steps + affected URL/component.
# - Do not publicly disclose the issue until we've had a reasonable
#   chance to remediate (we aim for 90 days).
# - We don't currently run a paid bounty program, but we genuinely
#   appreciate responsible disclosure and will credit reporters
#   (with their permission) on a public security acknowledgments page.
#
# In scope:
#   - emailsavy.com and all subdomains
#   - The EmailSavy Chrome extension (CWS ID: gjbefmbgbdjbhnhhgbhbbipfkdfpdfjo)
#
# Out of scope:
#   - Theoretical attacks without proof of exploit
#   - Issues already known + tracked
#   - Findings on third-party services (Razorpay, AWS) — report those to the vendor