# security.txt — RFC 9116
# Coordinated vulnerability disclosure for fatcousin.com

Contact: mailto:labs@fatcousin.com
Contact: https://github.com/odneb/FatCousin/security/advisories/new
Contact: https://github.com/odneb/FatCousin/issues
Expires: 2027-12-31T23:59:59Z
Preferred-Languages: en
Canonical: https://fatcousin.com/.well-known/security.txt

# Notes for researchers:
# - fatcousin is a static + client-side application. No user accounts,
#   no sessions, no server-side processing of user file data. Most
#   classes of vulnerability (auth bypass, IDOR, server-side injection)
#   are out of scope by construction.
# - In-scope: XSS, CSP bypasses, supply-chain risk in npm dependencies,
#   prototype pollution in tool engines, secret leakage in the build,
#   sandbox escapes from WASM workers, accidental network exfiltration
#   that contradicts our local-first promise.
# - Out of scope: missing rate-limiting (there is no API), missing
#   account lockout (there are no accounts), self-XSS via paste, and
#   reports purely from automated scanners with no reproduction steps.
# - Please demonstrate impact. Please give us reasonable time to fix
#   before public disclosure (we aim for <14 days for confirmed issues).