# security.txt — Calibration Ledger
# RFC 9116 · https://securitytxt.org/
# If you believe you've found a security issue, please report it responsibly.

Contact: mailto:contact@editnative.com
Preferred-Languages: en, nl
Canonical: https://calibrationledger.com/.well-known/security.txt
Policy: https://calibrationledger.com/terms/
Expires: 2027-04-24T00:00:00Z

# What's in scope
# ----------------
# - The calibrationledger.com web application (static Next.js export)
# - The machine-readable endpoints (/api/methodology.json, /llms.txt, sitemaps)
# - Cloudflare Pages deploy surface for this domain
#
# Out of scope
# ------------
# - Cloudflare infrastructure (report to https://hackerone.com/cloudflare)
# - Upstream dependencies (Next.js, React, Tailwind) — report to those projects directly
# - Phishing sites using the Calibration Ledger brand (report to the registrar + AI Now)
#
# Disclosure preferences
# ----------------------
# - Email the operator with "CL-SECURITY" in the subject line
# - Please do NOT open GitHub issues for vulnerabilities; coordinate by email first
# - 90-day responsible-disclosure window preferred; coordinated publication welcomed after fix ships
# - The operator is a solo maintainer — response time is 2-5 business days
#
# Hall of thanks
# --------------
# Legitimate security researchers whose reports lead to a fix get credit on a dedicated page
# (once one exists) or an inline acknowledgement in the site's changelog / CHANGELOG.md.