# Brainiall — Security Disclosure Policy
# RFC 9116 compliant. Last reviewed: 2026-05-07.
# We respond to coordinated security reports from researchers worldwide.

Contact: mailto:security@brainiall.com
Contact: mailto:abuse@brainiall.com
Expires: 2027-05-07T00:00:00.000Z
Preferred-Languages: en, pt-BR
Canonical: https://app.brainiall.com/.well-known/security.txt
Policy: https://app.brainiall.com/trust
Acknowledgments: https://app.brainiall.com/trust

# Scope:
#   In scope:  *.brainiall.com (api, app, status), Marketplace SaaS webhook,
#              Bearer-key auth flow, rate limit + replay-attack defenses,
#              free-tier abuse vectors (account farming, residential proxy
#              evasion, API key resale).
#   Out of scope: third-party services we integrate with (Microsoft AD,
#                 AWS Marketplace, Cloudflare) — report directly
#                 to vendor.
#
# Reporting:
#   security@brainiall.com — vulnerabilities, security disclosures
#   abuse@brainiall.com    — free-tier abuse, account farming, illicit content
#                            uploaded by users (CSAM, non-consensual imagery,
#                            data ex-filtration via S5 Memory dead-drop)
#
# What we ask:
#   - Allow us 90 days to patch before public disclosure.
#   - Do not exfiltrate customer data; demonstrate impact with synthetic
#     tenants only (free-tier signup is sufficient).
#   - Do not run mass automated scans that degrade service for other users.
#
# What we do:
#   - Acknowledge within 2 business days.
#   - Triage and assign severity within 5 business days.
#   - Credit in /trust unless researcher prefers anonymity.
#   - Currently no monetary bounty — public credit + branded swag.
#   - Abuse reports: actioned within 24h business hours; account
#     suspension within 1h on confirmed CSAM / illicit content.