# SousOps · Security disclosure
#
# Per RFC 9116 (Web Security Policies). Tell us about a vulnerability
# and we'll acknowledge within 2 business days and aim to ship a fix
# or mitigation within 30 days for HIGH-severity findings.

Contact: mailto:security@palisirestaurantgroup.com
Expires: 2027-06-09T00:00:00.000Z
Preferred-Languages: en
Canonical: https://sousops.com/.well-known/security.txt
Policy: https://sousops.com/SECURITY
Acknowledgments: https://sousops.com/SECURITY
Hiring: https://sousops.com

# Bug bounty is not formal yet. We'll thank you publicly and credit
# you in the changelog. If you want a coordinated disclosure window,
# tell us at first contact and we'll honor a reasonable one (usually
# 90 days, sometimes longer for ecosystem-wide fixes).

# What's in scope
#  • sousops.com — the SaaS application + marketing site
#  • Any cron endpoint under /api/cron/* (verifies HMAC secret)

# What's out of scope
#  • Sub-processor surfaces (Vercel, Supabase, Resend, Anthropic, Intuit)
#  • Social engineering of any employee or contractor
#  • Physical security (delegated to platform sub-processors)
#  • Denial of service via traffic volume
#  • Vulnerabilities in third-party software we depend on but don't
#    operate (report those to the upstream maintainer)

# Out-of-scope reports will be acknowledged and forwarded; we just
# can't act on them ourselves.