# Offersly responsible disclosure — RFC 9116 # https://offersly.app/.well-known/security.txt Contact: mailto:security@offersly.app Expires: 2027-05-29T00:00:00.000Z Preferred-Languages: en Canonical: https://offersly.app/.well-known/security.txt Policy: https://offersly.app/security # We pay attention to: # - Authentication & authorization bypasses (RLS, JWT handling, session) # - Injection (SQL, command, path, NoSQL) # - SSRF / XXE / deserialization # - Sensitive data exposure (PII, AI conversation history, payment refs) # - Account takeover / credential leakage # - Cross-tenant data leakage # # We do NOT consider in-scope: # - Spam/phishing using offersly.app domain (report to abuse@) # - Best-practice nitpicks without demonstrable impact # - DDoS / volumetric attacks # - Findings against third-party sub-processors (report to them directly) # # Please do NOT: # - Test against accounts you don't own # - Scrape or exfiltrate other users' data # - Run automated scanners that generate load # - Publicly disclose before we acknowledge + fix